Play interactive tour

Edit tour

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Sample Name:	Quotation-4834898943949883.pdf.exe
Analysis ID:	383932
MD5:	ba34da45fb03afddde208fd6458ac143
SHA1:	e132408554f22f314f3e4e151d931de1d3e623e1
SHA256:	f7b3ef9d4ac8560bf644a3f3039a32f568563d3299273073abe31fa19ed6470e
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Quotation-4834898943949883.pdf.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe' MD5: BA34DA45FB03AFDDDE208FD6458AC143)

Quotation-4834898943949883.pdf.exe (PID: 5888 cmdline: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe MD5: BA34DA45FB03AFDDDE208FD6458AC143)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.liveonlinehdplay24.com/kzsw/"], "decoy": ["thelargedoor.com", "newcuus.com", "tgc.xyz", "americanrvwarranties.com", "deroshop.com", "wagyu-importer.com", "frbhomeloan.com", "taniabeautysalonspa.com", "nac-alerton.com", "ordersudsy.com", "villagegardengreeley.com", "locksmithpembrokepines.com", "rafsanjan.net", "jumlasx.xyz", "supermercadoveganmadrid.com", "rubsalmon.com", "glenhelensaturdaymotocross.com", "jichuang888.club", "aajnv.com", "stackablesllc.com", "elevatebuilder.com", "higrandtechnologies.com", "lssqzyg.com", "zjszxs.com", "ssgasiu.com", "brianterrymarketing.com", "nyatiera.com", "elemetasu.com", "larouedesecours.info", "customerye.com", "riotgentler.com", "wwwjeansjewerlys.com", "egyptcon.com", "hona-iq.com", "residsfranchise.com", "flamingogrouprealty.com", "windycitywoodturners.club", "maineguidedfishing.com", "krushirajyafarms.com", "scottsdaledrycleanaz.com", "eisdjsd.asia", "gelgoodplus.com", "numericcarbon.com", "zszq665.com", "researchripples.com", "pravschool.com", "lanshan1688.com", "bashcovid19.com", "enableauth.com", "azbibi.com", "nearyapi.com", "cqshenchi.com", "ipandasz.com", "persero14.com", "lemonadecrystal.com", "sekrema2049.com", "chilternss.com", "bestsgiftstore.com", "vlansi.icu", "namasteyg.com", "msjshelfit.com", "harbee.net", "smiley.team", "sopnosoft.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x92b78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x92df2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbf398:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbf612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9e915:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcb135:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9e401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcac21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9ea17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcb237:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9eb8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xcb3af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9380a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc002a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9d67c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc9e9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x94503:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc0d23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa4787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd0fa7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa578a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa16a9:$sqlite3step: 68 34 1C 7B E1 0xa17bc:$sqlite3step: 68 34 1C 7B E1 0xcdec9:$sqlite3step: 68 34 1C 7B E1 0xcdfdc:$sqlite3step: 68 34 1C 7B E1 0xa16d8:$sqlite3text: 68 38 2A 90 C5 0xa17fd:$sqlite3text: 68 38 2A 90 C5 0xcdef8:$sqlite3text: 68 38 2A 90 C5 0xce01d:$sqlite3text: 68 38 2A 90 C5 0xa16eb:$sqlite3blob: 68 53 D8 7F 8C 0xa1813:$sqlite3blob: 68 53 D8 7F 8C 0xcdf0b:$sqlite3blob: 68 53 D8 7F 8C 0xce033:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 7052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.liveonlinehdplay24.com/kzsw/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.liveonlinehdplay24.com/kzsw/"], "decoy": ["thelargedoor.com", "newcuus.com", "tgc.xyz", "americanrvwarranties.com", "deroshop.com", "wagyu-importer.com", "frbhomeloan.com", "taniabeautysalonspa.com", "nac-alerton.com", "ordersudsy.com", "villagegardengreeley.com", "locksmithpembrokepines.com", "rafsanjan.net", "jumlasx.xyz", "supermercadoveganmadrid.com", "rubsalmon.com", "glenhelensaturdaymotocross.com", "jichuang888.club", "aajnv.com", "stackablesllc.com", "elevatebuilder.com", "higrandtechnologies.com", "lssqzyg.com", "zjszxs.com", "ssgasiu.com", "brianterrymarketing.com", "nyatiera.com", "elemetasu.com", "larouedesecours.info", "customerye.com", "riotgentler.com", "wwwjeansjewerlys.com", "egyptcon.com", "hona-iq.com", "residsfranchise.com", "flamingogrouprealty.com", "windycitywoodturners.club", "maineguidedfishing.com", "krushirajyafarms.com", "scottsdaledrycleanaz.com", "eisdjsd.asia", "gelgoodplus.com", "numericcarbon.com", "zszq665.com", "researchripples.com", "pravschool.com", "lanshan1688.com", "bashcovid19.com", "enableauth.com", "azbibi.com", "nearyapi.com", "cqshenchi.com", "ipandasz.com", "persero14.com", "lemonadecrystal.com", "sekrema2049.com", "chilternss.com", "bestsgiftstore.com", "vlansi.icu", "namasteyg.com", "msjshelfit.com", "harbee.net", "smiley.team", "sopnosoft.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation-4834898943949883.pdf.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Quotation-4834898943949883.pdf.exe

Joe Sandbox ML: detected

Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04C81B98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04C81BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_073CFB08
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop esi	4_2_004172DB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop ebx	4_2_00407B04
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop edi	4_2_00417D8E

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.liveonlinehdplay24.com/kzsw/

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670815248.0000000002C01000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnate0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrig
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.659748125.0000000005CCA000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/n
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670586004.00000000010CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6688 NtQueryInformationProcess,	0_2_073C6688
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6680 NtQueryInformationProcess,	0_2_073C6680
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A05A NtClose,	4_2_0041A05A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A10D NtAllocateVirtualMemory,	4_2_0041A10D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FDB NtCreateFile,NtReadFile,	4_2_00419FDB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01779860
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01779660
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_017796E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779950 NtQueueApcThread,	4_2_01779950
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779910 NtAdjustPrivilegesToken,	4_2_01779910
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017799D0 NtCreateProcessEx,	4_2_017799D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017799A0 NtCreateSection,	4_2_017799A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177B040 NtSuspendThread,	4_2_0177B040
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779840 NtDelayExecution,	4_2_01779840
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779820 NtEnumerateKey,	4_2_01779820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017798F0 NtReadVirtualMemory,	4_2_017798F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017798A0 NtWriteVirtualMemory,	4_2_017798A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779B00 NtSetValueKey,	4_2_01779B00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A3B0 NtGetContextThread,	4_2_0177A3B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A50 NtCreateFile,	4_2_01779A50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A20 NtResumeThread,	4_2_01779A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A10 NtQuerySection,	4_2_01779A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A00 NtProtectVirtualMemory,	4_2_01779A00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A80 NtOpenDirectoryObject,	4_2_01779A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779560 NtWriteFile,	4_2_01779560
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779540 NtReadFile,	4_2_01779540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177AD30 NtSetContextThread,	4_2_0177AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779520 NtWaitForSingleObject,	4_2_01779520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017795F0 NtQueryInformationFile,	4_2_017795F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017795D0 NtClose,	4_2_017795D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A770 NtOpenThread,	4_2_0177A770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779770 NtSetInformationFile,	4_2_01779770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779760 NtOpenProcess,	4_2_01779760
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779730 NtQueryVirtualMemory,	4_2_01779730
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779710 NtQueryInformationToken,	4_2_01779710
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A710 NtOpenProcessToken,	4_2_0177A710
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779FE0 NtCreateMutant,	4_2_01779FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017797A0 NtUnmapViewOfSection,	4_2_017797A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779780 NtMapViewOfSection,	4_2_01779780
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779670 NtQueryInformationProcess,	4_2_01779670
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779650 NtQueryValueKey,	4_2_01779650
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779610 NtEnumerateValueKey,	4_2_01779610

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_04C80448	0_2_04C80448
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_04C81770	0_2_04C81770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5300	0_2_073C5300
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6FC0	0_2_073C6FC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1ED8	0_2_073C1ED8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6FB6	0_2_073C6FB6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C2A08	0_2_073C2A08
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1A70	0_2_073C1A70
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C06B9	0_2_073C06B9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1A80	0_2_073C1A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C52EF	0_2_073C52EF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C06C8	0_2_073C06C8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1ECA	0_2_073C1ECA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8518	0_2_073C8518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8508	0_2_073C8508
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C2978	0_2_073C2978
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C29BF	0_2_073C29BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C11A0	0_2_073C11A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5598	0_2_073C5598
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1190	0_2_073C1190
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5588	0_2_073C5588
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C89F8	0_2_073C89F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C89E8	0_2_073C89E8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6820	0_2_073C6820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1810	0_2_073C1810
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6812	0_2_073C6812
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1800	0_2_073C1800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5C78	0_2_073C5C78
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1CB1	0_2_073C1CB1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5C88	0_2_073C5C88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8CE8	0_2_073C8CE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8CD8	0_2_073C8CD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1CC0	0_2_073C1CC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401028	4_2_00401028
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D91B	4_2_0041D91B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E1A8	4_2_0041E1A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D21B	4_2_0041D21B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041ECBA	4_2_0041ECBA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E3B	4_2_00409E3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E7BA	4_2_0041E7BA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173F900	4_2_0173F900
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752990	4_2_01752990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018020A8	4_2_018020A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018028EC	4_2_018028EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736800	4_2_01736800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1002	4_2_017F1002
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180E824	4_2_0180E824
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B090	4_2_0174B090
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01753360	4_2_01753360
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DCB4F	4_2_017DCB4F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175AB40	4_2_0175AB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F231B	4_2_017F231B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01788BE8	4_2_01788BE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E23E3	4_2_017E23E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F03DA	4_2_017F03DA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802B28	4_2_01802B28
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FDBD2	4_2_017FDBD2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176ABD8	4_2_0176ABD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176EBB0	4_2_0176EBB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175EB9A	4_2_0175EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176138B	4_2_0176138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018032A9	4_2_018032A9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018022AE	4_2_018022AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017EFA2B	4_2_017EFA2B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FE2C5	4_2_017FE2C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752D50	4_2_01752D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01730D20	4_2_01730D20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018025DD	4_2_018025DD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802D07	4_2_01802D07
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174D5E0	4_2_0174D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01801D55	4_2_01801D55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017665A0	4_2_017665A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FD466	4_2_017FD466
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752430	4_2_01752430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174841F	4_2_0174841F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180DFCE	4_2_0180DFCE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01801FF1	4_2_01801FF1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F67E2	4_2_017F67E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017BAE60	4_2_017BAE60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01756E30	4_2_01756E30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FD616	4_2_017FD616
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01755600	4_2_01755600
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802EF7	4_2_01802EF7

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0173B150 appears 154 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0178D08C appears 40 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 017C5720 appears 78 times

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676889901.0000000008C00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676251652.0000000007330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676714401.0000000008AE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670058848.00000000009A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670586004.00000000010CB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.671469145.00000000019BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.670473061.0000000000D28000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\dAcuDULllAP

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: Quotation-4834898943949883.pdf.exe

ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C7408 pushad ; iretd	0_2_073C7409
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041702F push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_004170F9 push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040F1E9 push ecx; iretd	4_2_0040F1EB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00417988 push ebp; iretd	4_2_00417989
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040E40C push eax; ret	4_2_0040E420
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040E421 push ebx; iretd	4_2_0040E42B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00416567 push 0C21EF33h; retf	4_2_0041656D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E571 push eax; ret	4_2_0041E573
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041663D push es; retf	4_2_0041664C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00416FD9 push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0178D0D1 push ecx; ret	4_2_0178D0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.62426000662

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 7052, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 7056	Thread sleep time: -103486s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 7072	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 103486			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,

4_2_01779860

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173B171 mov eax, dword ptr fs:[00000030h]	4_2_0173B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173B171 mov eax, dword ptr fs:[00000030h]	4_2_0173B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173C962 mov eax, dword ptr fs:[00000030h]	4_2_0173C962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FE962 mov eax, dword ptr fs:[00000030h]	4_2_017FE962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173395E mov eax, dword ptr fs:[00000030h]	4_2_0173395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173395E mov eax, dword ptr fs:[00000030h]	4_2_0173395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1951 mov eax, dword ptr fs:[00000030h]	4_2_017F1951
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B944 mov eax, dword ptr fs:[00000030h]	4_2_0175B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B944 mov eax, dword ptr fs:[00000030h]	4_2_0175B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0180F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0180F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01733138 mov ecx, dword ptr fs:[00000030h]	4_2_01733138
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176513A mov eax, dword ptr fs:[00000030h]	4_2_0176513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176513A mov eax, dword ptr fs:[00000030h]	4_2_0176513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120 mov eax, dword ptr fs:[00000030h]	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120 mov eax, dword ptr fs:[00000030h]	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120 mov eax, dword ptr fs:[00000030h]	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120 mov eax, dword ptr fs:[00000030h]	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120 mov ecx, dword ptr fs:[00000030h]	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018089E7 mov eax, dword ptr fs:[00000030h]	4_2_018089E7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739100 mov eax, dword ptr fs:[00000030h]	4_2_01739100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739100 mov eax, dword ptr fs:[00000030h]	4_2_01739100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739100 mov eax, dword ptr fs:[00000030h]	4_2_01739100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01740100 mov eax, dword ptr fs:[00000030h]	4_2_01740100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01740100 mov eax, dword ptr fs:[00000030h]	4_2_01740100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01740100 mov eax, dword ptr fs:[00000030h]	4_2_01740100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0173B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0173B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0173B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017331E0 mov eax, dword ptr fs:[00000030h]	4_2_017331E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C41E8 mov eax, dword ptr fs:[00000030h]	4_2_017C41E8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F19D8 mov eax, dword ptr fs:[00000030h]	4_2_017F19D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B51BE mov eax, dword ptr fs:[00000030h]	4_2_017B51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B51BE mov eax, dword ptr fs:[00000030h]	4_2_017B51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B51BE mov eax, dword ptr fs:[00000030h]	4_2_017B51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B51BE mov eax, dword ptr fs:[00000030h]	4_2_017B51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176C9BF mov eax, dword ptr fs:[00000030h]	4_2_0176C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176C9BF mov eax, dword ptr fs:[00000030h]	4_2_0176C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov eax, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov eax, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov eax, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov ecx, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF mov eax, dword ptr fs:[00000030h]	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017661A0 mov eax, dword ptr fs:[00000030h]	4_2_017661A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017661A0 mov eax, dword ptr fs:[00000030h]	4_2_017661A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F49A4 mov eax, dword ptr fs:[00000030h]	4_2_017F49A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F49A4 mov eax, dword ptr fs:[00000030h]	4_2_017F49A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F49A4 mov eax, dword ptr fs:[00000030h]	4_2_017F49A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F49A4 mov eax, dword ptr fs:[00000030h]	4_2_017F49A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B69A6 mov eax, dword ptr fs:[00000030h]	4_2_017B69A6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762990 mov eax, dword ptr fs:[00000030h]	4_2_01762990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764190 mov eax, dword ptr fs:[00000030h]	4_2_01764190
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808966 mov eax, dword ptr fs:[00000030h]	4_2_01808966
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173519E mov eax, dword ptr fs:[00000030h]	4_2_0173519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173519E mov ecx, dword ptr fs:[00000030h]	4_2_0173519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176A185 mov eax, dword ptr fs:[00000030h]	4_2_0176A185
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FA189 mov eax, dword ptr fs:[00000030h]	4_2_017FA189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FA189 mov ecx, dword ptr fs:[00000030h]	4_2_017FA189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175C182 mov eax, dword ptr fs:[00000030h]	4_2_0175C182
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2073 mov eax, dword ptr fs:[00000030h]	4_2_017F2073
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175F86D mov eax, dword ptr fs:[00000030h]	4_2_0175F86D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735050 mov eax, dword ptr fs:[00000030h]	4_2_01735050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735050 mov eax, dword ptr fs:[00000030h]	4_2_01735050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735050 mov eax, dword ptr fs:[00000030h]	4_2_01735050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01737057 mov eax, dword ptr fs:[00000030h]	4_2_01737057
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01750050 mov eax, dword ptr fs:[00000030h]	4_2_01750050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01750050 mov eax, dword ptr fs:[00000030h]	4_2_01750050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1843 mov eax, dword ptr fs:[00000030h]	4_2_017F1843
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830 mov eax, dword ptr fs:[00000030h]	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830 mov eax, dword ptr fs:[00000030h]	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830 mov eax, dword ptr fs:[00000030h]	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830 mov eax, dword ptr fs:[00000030h]	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764020 mov edi, dword ptr fs:[00000030h]	4_2_01764020
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176002D mov eax, dword ptr fs:[00000030h]	4_2_0176002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176002D mov eax, dword ptr fs:[00000030h]	4_2_0176002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176002D mov eax, dword ptr fs:[00000030h]	4_2_0176002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176002D mov eax, dword ptr fs:[00000030h]	4_2_0176002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176002D mov eax, dword ptr fs:[00000030h]	4_2_0176002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B02A mov eax, dword ptr fs:[00000030h]	4_2_0174B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B02A mov eax, dword ptr fs:[00000030h]	4_2_0174B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B02A mov eax, dword ptr fs:[00000030h]	4_2_0174B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B02A mov eax, dword ptr fs:[00000030h]	4_2_0174B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B7016 mov eax, dword ptr fs:[00000030h]	4_2_017B7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B7016 mov eax, dword ptr fs:[00000030h]	4_2_017B7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B7016 mov eax, dword ptr fs:[00000030h]	4_2_017B7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736800 mov eax, dword ptr fs:[00000030h]	4_2_01736800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736800 mov eax, dword ptr fs:[00000030h]	4_2_01736800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736800 mov eax, dword ptr fs:[00000030h]	4_2_01736800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428FD mov eax, dword ptr fs:[00000030h]	4_2_017428FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428FD mov eax, dword ptr fs:[00000030h]	4_2_017428FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428FD mov eax, dword ptr fs:[00000030h]	4_2_017428FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0175B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0175B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017340E1 mov eax, dword ptr fs:[00000030h]	4_2_017340E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017340E1 mov eax, dword ptr fs:[00000030h]	4_2_017340E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017340E1 mov eax, dword ptr fs:[00000030h]	4_2_017340E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01804015 mov eax, dword ptr fs:[00000030h]	4_2_01804015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01804015 mov eax, dword ptr fs:[00000030h]	4_2_01804015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017358EC mov eax, dword ptr fs:[00000030h]	4_2_017358EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov eax, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov ecx, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov eax, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov eax, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov eax, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CB8D0 mov eax, dword ptr fs:[00000030h]	4_2_017CB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017370C0 mov eax, dword ptr fs:[00000030h]	4_2_017370C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017370C0 mov eax, dword ptr fs:[00000030h]	4_2_017370C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F18CA mov eax, dword ptr fs:[00000030h]	4_2_017F18CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F0BF mov ecx, dword ptr fs:[00000030h]	4_2_0176F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F0BF mov eax, dword ptr fs:[00000030h]	4_2_0176F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F0BF mov eax, dword ptr fs:[00000030h]	4_2_0176F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0 mov eax, dword ptr fs:[00000030h]	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017790AF mov eax, dword ptr fs:[00000030h]	4_2_017790AF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov eax, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov eax, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov eax, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov ecx, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov eax, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017428AE mov eax, dword ptr fs:[00000030h]	4_2_017428AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739080 mov eax, dword ptr fs:[00000030h]	4_2_01739080
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01733880 mov eax, dword ptr fs:[00000030h]	4_2_01733880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01733880 mov eax, dword ptr fs:[00000030h]	4_2_01733880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01801074 mov eax, dword ptr fs:[00000030h]	4_2_01801074
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B3884 mov eax, dword ptr fs:[00000030h]	4_2_017B3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B3884 mov eax, dword ptr fs:[00000030h]	4_2_017B3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174F370 mov eax, dword ptr fs:[00000030h]	4_2_0174F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174F370 mov eax, dword ptr fs:[00000030h]	4_2_0174F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174F370 mov eax, dword ptr fs:[00000030h]	4_2_0174F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B7A mov eax, dword ptr fs:[00000030h]	4_2_01763B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B7A mov eax, dword ptr fs:[00000030h]	4_2_01763B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173DB60 mov ecx, dword ptr fs:[00000030h]	4_2_0173DB60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C6365 mov eax, dword ptr fs:[00000030h]	4_2_017C6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C6365 mov eax, dword ptr fs:[00000030h]	4_2_017C6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C6365 mov eax, dword ptr fs:[00000030h]	4_2_017C6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01805BA5 mov eax, dword ptr fs:[00000030h]	4_2_01805BA5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173F358 mov eax, dword ptr fs:[00000030h]	4_2_0173F358
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B5A mov eax, dword ptr fs:[00000030h]	4_2_01763B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B5A mov eax, dword ptr fs:[00000030h]	4_2_01763B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B5A mov eax, dword ptr fs:[00000030h]	4_2_01763B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763B5A mov eax, dword ptr fs:[00000030h]	4_2_01763B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173DB40 mov eax, dword ptr fs:[00000030h]	4_2_0173DB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808BB6 mov eax, dword ptr fs:[00000030h]	4_2_01808BB6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01809BBE mov eax, dword ptr fs:[00000030h]	4_2_01809BBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F131B mov eax, dword ptr fs:[00000030h]	4_2_017F131B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309 mov eax, dword ptr fs:[00000030h]	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017603E2 mov eax, dword ptr fs:[00000030h]	4_2_017603E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01731BE9 mov eax, dword ptr fs:[00000030h]	4_2_01731BE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175DBE9 mov eax, dword ptr fs:[00000030h]	4_2_0175DBE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E23E3 mov ecx, dword ptr fs:[00000030h]	4_2_017E23E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E23E3 mov ecx, dword ptr fs:[00000030h]	4_2_017E23E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E23E3 mov eax, dword ptr fs:[00000030h]	4_2_017E23E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B53CA mov eax, dword ptr fs:[00000030h]	4_2_017B53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B53CA mov eax, dword ptr fs:[00000030h]	4_2_017B53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017653C5 mov eax, dword ptr fs:[00000030h]	4_2_017653C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1BA8 mov eax, dword ptr fs:[00000030h]	4_2_017F1BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808B58 mov eax, dword ptr fs:[00000030h]	4_2_01808B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764BAD mov eax, dword ptr fs:[00000030h]	4_2_01764BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764BAD mov eax, dword ptr fs:[00000030h]	4_2_01764BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764BAD mov eax, dword ptr fs:[00000030h]	4_2_01764BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762397 mov eax, dword ptr fs:[00000030h]	4_2_01762397
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176B390 mov eax, dword ptr fs:[00000030h]	4_2_0176B390
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01734B94 mov edi, dword ptr fs:[00000030h]	4_2_01734B94
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175EB9A mov eax, dword ptr fs:[00000030h]	4_2_0175EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175EB9A mov eax, dword ptr fs:[00000030h]	4_2_0175EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F138A mov eax, dword ptr fs:[00000030h]	4_2_017F138A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A mov ecx, dword ptr fs:[00000030h]	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A mov eax, dword ptr fs:[00000030h]	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A mov eax, dword ptr fs:[00000030h]	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A mov eax, dword ptr fs:[00000030h]	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01741B8F mov eax, dword ptr fs:[00000030h]	4_2_01741B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01741B8F mov eax, dword ptr fs:[00000030h]	4_2_01741B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176138B mov eax, dword ptr fs:[00000030h]	4_2_0176138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176138B mov eax, dword ptr fs:[00000030h]	4_2_0176138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176138B mov eax, dword ptr fs:[00000030h]	4_2_0176138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017ED380 mov ecx, dword ptr fs:[00000030h]	4_2_017ED380
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177927A mov eax, dword ptr fs:[00000030h]	4_2_0177927A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017EB260 mov eax, dword ptr fs:[00000030h]	4_2_017EB260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017EB260 mov eax, dword ptr fs:[00000030h]	4_2_017EB260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01775A69 mov eax, dword ptr fs:[00000030h]	4_2_01775A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01775A69 mov eax, dword ptr fs:[00000030h]	4_2_01775A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01775A69 mov eax, dword ptr fs:[00000030h]	4_2_01775A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1A5F mov eax, dword ptr fs:[00000030h]	4_2_017F1A5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FEA55 mov eax, dword ptr fs:[00000030h]	4_2_017FEA55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C4257 mov eax, dword ptr fs:[00000030h]	4_2_017C4257
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739240 mov eax, dword ptr fs:[00000030h]	4_2_01739240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739240 mov eax, dword ptr fs:[00000030h]	4_2_01739240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739240 mov eax, dword ptr fs:[00000030h]	4_2_01739240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01739240 mov eax, dword ptr fs:[00000030h]	4_2_01739240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236 mov eax, dword ptr fs:[00000030h]	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01738239 mov eax, dword ptr fs:[00000030h]	4_2_01738239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01738239 mov eax, dword ptr fs:[00000030h]	4_2_01738239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01738239 mov eax, dword ptr fs:[00000030h]	4_2_01738239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01734A20 mov eax, dword ptr fs:[00000030h]	4_2_01734A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01734A20 mov eax, dword ptr fs:[00000030h]	4_2_01734A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1229 mov eax, dword ptr fs:[00000030h]	4_2_017F1229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01774A2C mov eax, dword ptr fs:[00000030h]	4_2_01774A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01774A2C mov eax, dword ptr fs:[00000030h]	4_2_01774A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A229 mov eax, dword ptr fs:[00000030h]	4_2_0175A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808ADD mov eax, dword ptr fs:[00000030h]	4_2_01808ADD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735210 mov eax, dword ptr fs:[00000030h]	4_2_01735210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735210 mov ecx, dword ptr fs:[00000030h]	4_2_01735210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735210 mov eax, dword ptr fs:[00000030h]	4_2_01735210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735210 mov eax, dword ptr fs:[00000030h]	4_2_01735210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173AA16 mov eax, dword ptr fs:[00000030h]	4_2_0173AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173AA16 mov eax, dword ptr fs:[00000030h]	4_2_0173AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01753A1C mov eax, dword ptr fs:[00000030h]	4_2_01753A1C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FAA16 mov eax, dword ptr fs:[00000030h]	4_2_017FAA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FAA16 mov eax, dword ptr fs:[00000030h]	4_2_017FAA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01748A0A mov eax, dword ptr fs:[00000030h]	4_2_01748A0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF mov eax, dword ptr fs:[00000030h]	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762AE4 mov eax, dword ptr fs:[00000030h]	4_2_01762AE4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017312D4 mov eax, dword ptr fs:[00000030h]	4_2_017312D4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735AC0 mov eax, dword ptr fs:[00000030h]	4_2_01735AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735AC0 mov eax, dword ptr fs:[00000030h]	4_2_01735AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01735AC0 mov eax, dword ptr fs:[00000030h]	4_2_01735AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01733ACA mov eax, dword ptr fs:[00000030h]	4_2_01733ACA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762ACB mov eax, dword ptr fs:[00000030h]	4_2_01762ACB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0174AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0174AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176FAB0 mov eax, dword ptr fs:[00000030h]	4_2_0176FAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017612BD mov esi, dword ptr fs:[00000030h]	4_2_017612BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017612BD mov eax, dword ptr fs:[00000030h]	4_2_017612BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017612BD mov eax, dword ptr fs:[00000030h]	4_2_017612BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01731AA0 mov eax, dword ptr fs:[00000030h]	4_2_01731AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017352A5 mov eax, dword ptr fs:[00000030h]	4_2_017352A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017352A5 mov eax, dword ptr fs:[00000030h]	4_2_017352A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017352A5 mov eax, dword ptr fs:[00000030h]	4_2_017352A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017352A5 mov eax, dword ptr fs:[00000030h]	4_2_017352A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017352A5 mov eax, dword ptr fs:[00000030h]	4_2_017352A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01765AA0 mov eax, dword ptr fs:[00000030h]	4_2_01765AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01765AA0 mov eax, dword ptr fs:[00000030h]	4_2_01765AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176D294 mov eax, dword ptr fs:[00000030h]	4_2_0176D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176D294 mov eax, dword ptr fs:[00000030h]	4_2_0176D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808A62 mov eax, dword ptr fs:[00000030h]	4_2_01808A62
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F129A mov eax, dword ptr fs:[00000030h]	4_2_017F129A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176DA88 mov eax, dword ptr fs:[00000030h]	4_2_0176DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176DA88 mov eax, dword ptr fs:[00000030h]	4_2_0176DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175C577 mov eax, dword ptr fs:[00000030h]	4_2_0175C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175C577 mov eax, dword ptr fs:[00000030h]	4_2_0175C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01758D76 mov eax, dword ptr fs:[00000030h]	4_2_01758D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01758D76 mov eax, dword ptr fs:[00000030h]	4_2_01758D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01758D76 mov eax, dword ptr fs:[00000030h]	4_2_01758D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01758D76 mov eax, dword ptr fs:[00000030h]	4_2_01758D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01758D76 mov eax, dword ptr fs:[00000030h]	4_2_01758D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01757D50 mov eax, dword ptr fs:[00000030h]	4_2_01757D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01774D51 mov eax, dword ptr fs:[00000030h]	4_2_01774D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01774D51 mov eax, dword ptr fs:[00000030h]	4_2_01774D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018005AC mov eax, dword ptr fs:[00000030h]	4_2_018005AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018005AC mov eax, dword ptr fs:[00000030h]	4_2_018005AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01773D43 mov eax, dword ptr fs:[00000030h]	4_2_01773D43
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E8D47 mov eax, dword ptr fs:[00000030h]	4_2_017E8D47
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B3540 mov eax, dword ptr fs:[00000030h]	4_2_017B3540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E3D40 mov eax, dword ptr fs:[00000030h]	4_2_017E3D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173354C mov eax, dword ptr fs:[00000030h]	4_2_0173354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173354C mov eax, dword ptr fs:[00000030h]	4_2_0173354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01743D34 mov eax, dword ptr fs:[00000030h]	4_2_01743D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173AD30 mov eax, dword ptr fs:[00000030h]	4_2_0173AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FE539 mov eax, dword ptr fs:[00000030h]	4_2_017FE539
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017BA537 mov eax, dword ptr fs:[00000030h]	4_2_017BA537
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764D3B mov eax, dword ptr fs:[00000030h]	4_2_01764D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764D3B mov eax, dword ptr fs:[00000030h]	4_2_01764D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01764D3B mov eax, dword ptr fs:[00000030h]	4_2_01764D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F527 mov eax, dword ptr fs:[00000030h]	4_2_0176F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F527 mov eax, dword ptr fs:[00000030h]	4_2_0176F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176F527 mov eax, dword ptr fs:[00000030h]	4_2_0176F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F3518 mov eax, dword ptr fs:[00000030h]	4_2_017F3518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F3518 mov eax, dword ptr fs:[00000030h]	4_2_017F3518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F3518 mov eax, dword ptr fs:[00000030h]	4_2_017F3518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017395F0 mov eax, dword ptr fs:[00000030h]	4_2_017395F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017395F0 mov ecx, dword ptr fs:[00000030h]	4_2_017395F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E8DF1 mov eax, dword ptr fs:[00000030h]	4_2_017E8DF1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0174D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0174D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017695EC mov eax, dword ptr fs:[00000030h]	4_2_017695EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FFDE2 mov eax, dword ptr fs:[00000030h]	4_2_017FFDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FFDE2 mov eax, dword ptr fs:[00000030h]	4_2_017FFDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FFDE2 mov eax, dword ptr fs:[00000030h]	4_2_017FFDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FFDE2 mov eax, dword ptr fs:[00000030h]	4_2_017FFDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017EFDD3 mov eax, dword ptr fs:[00000030h]	4_2_017EFDD3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov eax, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov eax, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov eax, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov ecx, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov eax, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6DC9 mov eax, dword ptr fs:[00000030h]	4_2_017B6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017315C1 mov eax, dword ptr fs:[00000030h]	4_2_017315C1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808D34 mov eax, dword ptr fs:[00000030h]	4_2_01808D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01761DB5 mov eax, dword ptr fs:[00000030h]	4_2_01761DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01761DB5 mov eax, dword ptr fs:[00000030h]	4_2_01761DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01761DB5 mov eax, dword ptr fs:[00000030h]	4_2_01761DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017665A0 mov eax, dword ptr fs:[00000030h]	4_2_017665A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017665A0 mov eax, dword ptr fs:[00000030h]	4_2_017665A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017665A0 mov eax, dword ptr fs:[00000030h]	4_2_017665A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017635A1 mov eax, dword ptr fs:[00000030h]	4_2_017635A1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01733591 mov eax, dword ptr fs:[00000030h]	4_2_01733591
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176FD9B mov eax, dword ptr fs:[00000030h]	4_2_0176FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176FD9B mov eax, dword ptr fs:[00000030h]	4_2_0176FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581 mov eax, dword ptr fs:[00000030h]	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581 mov eax, dword ptr fs:[00000030h]	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581 mov eax, dword ptr fs:[00000030h]	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581 mov eax, dword ptr fs:[00000030h]	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732D8A mov eax, dword ptr fs:[00000030h]	4_2_01732D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732D8A mov eax, dword ptr fs:[00000030h]	4_2_01732D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732D8A mov eax, dword ptr fs:[00000030h]	4_2_01732D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732D8A mov eax, dword ptr fs:[00000030h]	4_2_01732D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732D8A mov eax, dword ptr fs:[00000030h]	4_2_01732D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82 mov eax, dword ptr fs:[00000030h]	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FB581 mov eax, dword ptr fs:[00000030h]	4_2_017FB581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FB581 mov eax, dword ptr fs:[00000030h]	4_2_017FB581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FB581 mov eax, dword ptr fs:[00000030h]	4_2_017FB581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FB581 mov eax, dword ptr fs:[00000030h]	4_2_017FB581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477 mov eax, dword ptr fs:[00000030h]	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01775C70 mov eax, dword ptr fs:[00000030h]	4_2_01775C70
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176AC7B mov eax, dword ptr fs:[00000030h]	4_2_0176AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175746D mov eax, dword ptr fs:[00000030h]	4_2_0175746D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CC450 mov eax, dword ptr fs:[00000030h]	4_2_017CC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017CC450 mov eax, dword ptr fs:[00000030h]	4_2_017CC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01809CB3 mov eax, dword ptr fs:[00000030h]	4_2_01809CB3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176A44B mov eax, dword ptr fs:[00000030h]	4_2_0176A44B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752430 mov eax, dword ptr fs:[00000030h]	4_2_01752430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752430 mov eax, dword ptr fs:[00000030h]	4_2_01752430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B433 mov eax, dword ptr fs:[00000030h]	4_2_0174B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B433 mov eax, dword ptr fs:[00000030h]	4_2_0174B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B433 mov eax, dword ptr fs:[00000030h]	4_2_0174B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763C3E mov eax, dword ptr fs:[00000030h]	4_2_01763C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763C3E mov eax, dword ptr fs:[00000030h]	4_2_01763C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01763C3E mov eax, dword ptr fs:[00000030h]	4_2_01763C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01734439 mov eax, dword ptr fs:[00000030h]	4_2_01734439
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808CD6 mov eax, dword ptr fs:[00000030h]	4_2_01808CD6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176BC2C mov eax, dword ptr fs:[00000030h]	4_2_0176BC2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6C0A mov eax, dword ptr fs:[00000030h]	4_2_017B6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6C0A mov eax, dword ptr fs:[00000030h]	4_2_017B6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6C0A mov eax, dword ptr fs:[00000030h]	4_2_017B6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6C0A mov eax, dword ptr fs:[00000030h]	4_2_017B6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1C06 mov eax, dword ptr fs:[00000030h]	4_2_017F1C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F14FB mov eax, dword ptr fs:[00000030h]	4_2_017F14FB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6CF0 mov eax, dword ptr fs:[00000030h]	4_2_017B6CF0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6CF0 mov eax, dword ptr fs:[00000030h]	4_2_017B6CF0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017B6CF0 mov eax, dword ptr fs:[00000030h]	4_2_017B6CF0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180740D mov eax, dword ptr fs:[00000030h]	4_2_0180740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180740D mov eax, dword ptr fs:[00000030h]	4_2_0180740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180740D mov eax, dword ptr fs:[00000030h]	4_2_0180740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808C14 mov eax, dword ptr fs:[00000030h]	4_2_01808C14
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01732CDB mov eax, dword ptr fs:[00000030h]	4_2_01732CDB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0176CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0176CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0176CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0176CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01734CB0 mov eax, dword ptr fs:[00000030h]	4_2_01734CB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176D4B0 mov eax, dword ptr fs:[00000030h]	4_2_0176D4B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808450 mov eax, dword ptr fs:[00000030h]	4_2_01808450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173649B mov eax, dword ptr fs:[00000030h]	4_2_0173649B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173649B mov eax, dword ptr fs:[00000030h]	4_2_0173649B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496 mov eax, dword ptr fs:[00000030h]	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174849B mov eax, dword ptr fs:[00000030h]	4_2_0174849B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01731480 mov eax, dword ptr fs:[00000030h]	4_2_01731480
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01808C75 mov eax, dword ptr fs:[00000030h]	4_2_01808C75
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736F60 mov eax, dword ptr fs:[00000030h]	4_2_01736F60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736F60 mov eax, dword ptr fs:[00000030h]	4_2_01736F60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174FF60 mov eax, dword ptr fs:[00000030h]	4_2_0174FF60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175E760 mov eax, dword ptr fs:[00000030h]	4_2_0175E760
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175E760 mov eax, dword ptr fs:[00000030h]	4_2_0175E760
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CF6A mov eax, dword ptr fs:[00000030h]	4_2_0176CF6A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176CF6A mov eax, dword ptr fs:[00000030h]	4_2_0176CF6A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C5F5F mov eax, dword ptr fs:[00000030h]	4_2_017C5F5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C5F5F mov eax, dword ptr fs:[00000030h]	4_2_017C5F5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C5F5F mov eax, dword ptr fs:[00000030h]	4_2_017C5F5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C5F5F mov eax, dword ptr fs:[00000030h]	4_2_017C5F5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017C5F5F mov eax, dword ptr fs:[00000030h]	4_2_017C5F5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1751 mov eax, dword ptr fs:[00000030h]	4_2_017F1751
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174EF40 mov eax, dword ptr fs:[00000030h]	4_2_0174EF40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173A745 mov eax, dword ptr fs:[00000030h]	4_2_0173A745
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176DF4C mov eax, dword ptr fs:[00000030h]	4_2_0176DF4C

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Memory written: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Masquerading11	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	System Information Discovery112	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information14	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Quotation-4834898943949883.pdf.exe	29%	ReversingLabs	Win32.Trojan.AgentTesla
Quotation-4834898943949883.pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/jp/A	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/B	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	Avira URL Cloud	safe
http://tempuri.org/GridOneHSDataSet.xsd	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/n	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://tempuri.org/HighScoresDataSet.xsd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Z	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Z	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Z	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/A	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/=	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/=	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/=	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.founder.com.cn/cnate0	0%	Avira URL Cloud	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.founder.com.cn/cnrig	0%	Avira URL Cloud	safe
www.liveonlinehdplay24.com/kzsw/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.liveonlinehdplay24.com/kzsw/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/A	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/B	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a-e	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://tempuri.org/GridOneHSDataSet.xsd	Quotation-4834898943949883.pdf.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Quotation-4834898943949883.pdf.exe, 00000000.00000003.659748125.0000000005CCA000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comB.TTF	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/n	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/$	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation-4834898943949883.pdf.exe, 00000000.00000002.670815248.0000000002C01000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/HighScoresDataSet.xsd	Quotation-4834898943949883.pdf.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Z	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/P	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H	Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/A	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/B	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/=	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/u	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnate0	Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comt	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comm	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/n	Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/g	Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnrig	Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383932
Start date:	08.04.2021
Start time:	12:41:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quotation-4834898943949883.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.2% (good quality ratio 5%) Quality average: 80% Quality standard deviation: 24.7%
HCA Information:	Successful, ratio: 90% Number of executed functions: 44 Number of non-executed functions: 229
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/383932/sample/Quotation-4834898943949883.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
12:42:28	API Interceptor	1x Sleep call for process: Quotation-4834898943949883.pdf.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.602799015135587
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Quotation-4834898943949883.pdf.exe
File size:	692224
MD5:	ba34da45fb03afddde208fd6458ac143
SHA1:	e132408554f22f314f3e4e151d931de1d3e623e1
SHA256:	f7b3ef9d4ac8560bf644a3f3039a32f568563d3299273073abe31fa19ed6470e
SHA512:	07ae60dcbedb260e1de1cea8a3b876f5a39161e0498b2c59e3ccc24bdb814f08a0986fd606fc4e8190c6a066147c2b07fd3e385b49952db95fb1116399498717
SSDEEP:	12288:P55tWbm6iLEPkfJNl0+AcMISr1vpnVvCVBvG1iuR/+Bf/f:P55UTiWkfJc+L6pvrCVB2an
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zn`..............P..J...D......rd... ........@.. ....................................@................................

File Icon


Icon Hash:	2b014c5a4a450127

Static PE Info

General
Entrypoint:	0x4a6472
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606E7ACC [Thu Apr 8 03:38:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or eax, 0C000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
or eax, 02000000h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [00000000h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6420	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x4160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa49a8	0xa4a00	False	0.785208155372	data	7.62426000662	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x4160	0x4200	False	0.221117424242	data	4.49408146936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa8190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xa85f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xa96a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0xabc48	0x30	data
RT_VERSION	0xabc78	0x2fc	data
RT_MANIFEST	0xabf74	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	c.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Codewords
ProductVersion	1.0.0.0
FileDescription	Codewords
OriginalFilename	c.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 7052 Parent PID: 4180

General

Start time:	12:42:21
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Imagebase:	0x900000
File size:	692224 bytes
MD5 hash:	BA34DA45FB03AFDDDE208FD6458AC143
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 5888 Parent PID: 7052

General

Start time:	12:42:30
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Imagebase:	0xc80000
File size:	692224 bytes
MD5 hash:	BA34DA45FB03AFDDDE208FD6458AC143
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 7052 Parent PID: 4180 Quotation-4834898943949883.pdf.exeCOMMON

Executed Functions

Function 073C6FC0, Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

BU/*, xrefs: 073C71AA
'N}, xrefs: 073C7020

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: 'N}$BU/*
API String ID: 0-3383374996
Opcode ID: a7d936fcc98d12d15e037f19000a093493a3a3217ebc06d5d68402946b3b9bfd
Instruction ID: 186203d94659b10a1425b7f285525a7f2ec163685000d4485b6649f3e367d045
Opcode Fuzzy Hash: a7d936fcc98d12d15e037f19000a093493a3a3217ebc06d5d68402946b3b9bfd
Instruction Fuzzy Hash: 9AB122B4D15228CFEB54CFA4C984B9DBBB5FB8A300F20942DD80AAB655DB349D41CF25

Uniqueness

Uniqueness Score: -1.00%

Function 073C6FB6, Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

BU/*, xrefs: 073C71AA
'N}, xrefs: 073C7020

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: 'N}$BU/*
API String ID: 0-3383374996
Opcode ID: 2aa3eabb1915f44c177be755de2c4bce27871b6ce8a8e47b27a40ddf2ab759f7
Instruction ID: f0cbf258b99318ae4ec3f9a010a28042bd47d043804920ef40757cb9bf1cd2ed
Opcode Fuzzy Hash: 2aa3eabb1915f44c177be755de2c4bce27871b6ce8a8e47b27a40ddf2ab759f7
Instruction Fuzzy Hash: DCA135B4D11219CFEB54CFA4D988B9DBBB5FB8A300F20946ED80AA7651DB349D40CF25

Uniqueness

Uniqueness Score: -1.00%

Function 073C6680, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 073C6707

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2fd826cfc3e812c88ae39a0c6512f8b62a91b5e9ccbf792bd1cdd777dc9fb45a
Instruction ID: 7199daabbd40352505fc6b2d805e25768ec3104f985bc0bf09e26a94ca13c458
Opcode Fuzzy Hash: 2fd826cfc3e812c88ae39a0c6512f8b62a91b5e9ccbf792bd1cdd777dc9fb45a
Instruction Fuzzy Hash: 6721DEB5900249DFDB10CF9AD885ACEFBF4FB48320F10842AE928A7210C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C6688, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 073C6707

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0f3cf37cb685e678a7aee96664c433e49c9b7c661ce7193a584259403c66a676
Instruction ID: 22d3aef4e7e6f7ebc045223e38cf6a928497e5f4aec9c57e30aad98c1c53e74e
Opcode Fuzzy Hash: 0f3cf37cb685e678a7aee96664c433e49c9b7c661ce7193a584259403c66a676
Instruction Fuzzy Hash: 7E21ABB5900259AFCB10CF9AD885ADEBBF4FB48320F54852AE918A7210D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C5300, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce2ddd029ac251ce75bcc1e94772293654ef099d62849e424afebe7cf6f3771
Instruction ID: dc2d171d7b08d53a1df0701440702e9a03ff7fb839dc105dae7d881992edcdf7
Opcode Fuzzy Hash: 9ce2ddd029ac251ce75bcc1e94772293654ef099d62849e424afebe7cf6f3771
Instruction Fuzzy Hash: FB71E6B8D11219DFDF08CFA5D59869DBBB2FB8A301F20802ED41AAB354DB34A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 073C52EF, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffce5323186e91cdb29a76b729f0b5e238f225ee49b82e2cff00354bef98f22f
Instruction ID: 204aefc4e9aec5004d19565b855c71be072d68de58e1473f88a6515a9178fed8
Opcode Fuzzy Hash: ffce5323186e91cdb29a76b729f0b5e238f225ee49b82e2cff00354bef98f22f
Instruction Fuzzy Hash: F361F9B8D11209DFDB08CFA5D49869DBBB2FF8A301F20802ED51AAB355DB34A941CF11

Uniqueness

Uniqueness Score: -1.00%

Function 073C1ED8, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea594d49466c81505ed2a53b73c9a33f431b9878158e3ae76ae3764071150fe
Instruction ID: 94081993b599e95fa32537d0fab22413834a329088164659a10520bcbb3a8aac
Opcode Fuzzy Hash: 3ea594d49466c81505ed2a53b73c9a33f431b9878158e3ae76ae3764071150fe
Instruction Fuzzy Hash: F8511AB4E152198FEB58CF66C944A8EF7B7BF89200F05C1A9D50DA7215DB309E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 073CFB08, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d631c7d0bb3e6cbdb5b79644ab9ac693d63e9dc26c50df03052cbf7d758889
Instruction ID: 886d2307460486972a15e7eb823fc60d3be6f0fa1e0c0614994ad41499eadb51
Opcode Fuzzy Hash: 28d631c7d0bb3e6cbdb5b79644ab9ac693d63e9dc26c50df03052cbf7d758889
Instruction Fuzzy Hash: 62112EB1D0521ACFEB14CFA5C5287EDBBF2AB4E351F149069D045B3291CB785944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 073CAE4C, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073CB086

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fa3fa4979439517b7537b2425ec2214a18bd60c553680e03bc306477aa7d960a
Instruction ID: ab6aaf0ab347d6fc4f56a190eab44fbdf1eba237093ddd9a761e2d7304cc48c9
Opcode Fuzzy Hash: fa3fa4979439517b7537b2425ec2214a18bd60c553680e03bc306477aa7d960a
Instruction Fuzzy Hash: C0915AB1D0021ECFEB20CF65CC817EDBBB6BB48314F15856AE809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 073CAE50, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073CB086

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5791ee24823f5f6f7a9f8e368a08524cfdabbbe6f7d96baeedc260562303c09f
Instruction ID: c2bf2c1e3b478f25834eb725dc943004cf837479ddc131fff59abd01a78b2207
Opcode Fuzzy Hash: 5791ee24823f5f6f7a9f8e368a08524cfdabbbe6f7d96baeedc260562303c09f
Instruction Fuzzy Hash: 26915AB1D0021EDFEB20CF65CC817EDBAB6FB48314F15856AE809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 073CA8E1, Relevance: 1.6, APIs: 1, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073CB086

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c0818c8fab21f41f53f92bce0e60dc97b82c87cb8fd0b3d079f5956b03dcf29e
Instruction ID: 1ac3143b7eef3cd2c1209b8294330e2585d370a1607a5f646cc31f252039a2a0
Opcode Fuzzy Hash: c0818c8fab21f41f53f92bce0e60dc97b82c87cb8fd0b3d079f5956b03dcf29e
Instruction Fuzzy Hash: 634125B190421DDEEF24DFA4C885BEDBBB2BF45208F1180A9E40877260CB755D89CF62

Uniqueness

Uniqueness Score: -1.00%

Function 073CAB00, Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073CAB76

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e439a61fdf80be5fb8a8a4876546ec02951a828142e1874df6fe9a9593c88bcb
Instruction ID: 4d72f78b304a4e9c402e7911ef95233baa3274d47a118a3c8ed419604eb0a4e5
Opcode Fuzzy Hash: e439a61fdf80be5fb8a8a4876546ec02951a828142e1874df6fe9a9593c88bcb
Instruction Fuzzy Hash: DF318BB6D002099FDB20CFA9D8447EEFBF1EF88324F15842AD519A7250C779A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073CABC0, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073CAC58

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8a08da19768e8dc328bacaf016f5c6c169236346d78ae16c047b78455fb1b99c
Instruction ID: d033fd4ac9af47eb6453b38f416d4aa9d05e2c1cba52a0fb79621260512f622e
Opcode Fuzzy Hash: 8a08da19768e8dc328bacaf016f5c6c169236346d78ae16c047b78455fb1b99c
Instruction Fuzzy Hash: 972146B19002499FDB10CFA9C8847EEBBF1FF48314F14842EE959A7240D7789955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073CABC8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073CAC58

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 530f0ef5b967f395b3b2993c81a69d6c8c9e5dcedf9fe3251ab8474204dadb33
Instruction ID: 4715f633327f4eaced5b77fcc5dafe6a8eab3c0e04c18128bf111a5d403055cc
Opcode Fuzzy Hash: 530f0ef5b967f395b3b2993c81a69d6c8c9e5dcedf9fe3251ab8474204dadb33
Instruction Fuzzy Hash: 0D2125B59003099FDB10DFAAC884BDEBBF5FF48314F14842AE959A7340C778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 073CACB0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073CAD38

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 954a7781b76e7ff040f8fbe2043fd0a5dc579c54e217958e6173668ec276bd3c
Instruction ID: 641983277896497ad4d4f06868172b2f85c0f4014a28a994ae0d51d2e0889dd2
Opcode Fuzzy Hash: 954a7781b76e7ff040f8fbe2043fd0a5dc579c54e217958e6173668ec276bd3c
Instruction Fuzzy Hash: C62125B1D002099FCB10CFAAC884BEEFBF5FF48324F55842AE919A7240C7749945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073CAA30, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 073CAAAE

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e36c53e829021aed83d7faff0df2fdbbf4b58a1503f436a9cca66968aa308612
Instruction ID: 5481117632f8c075a331b87b65fd93351906c11d68ab15232715ae79ed8e3109
Opcode Fuzzy Hash: e36c53e829021aed83d7faff0df2fdbbf4b58a1503f436a9cca66968aa308612
Instruction Fuzzy Hash: 682138B5D002099FDB10CFAAC4847EEBBF4EF48224F14842ED519A7240CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073CAA2F, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 073CAAAE

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 149b9c46b094ceadab760b4e37fc84ed3d78848aca5f95c27481b80401fd1737
Instruction ID: 10a4cc3e6c3d597d7d82ccfc3ff34a7887d19d3baddd744f701b815146e70d0d
Opcode Fuzzy Hash: 149b9c46b094ceadab760b4e37fc84ed3d78848aca5f95c27481b80401fd1737
Instruction Fuzzy Hash: 422138B5D002099FDB10CFAAC4847EEBBF4EF48224F18842ED519A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073CACB8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073CAD38

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8a00592a762c275b5893ae76db393de0d84adfb84f3eec316e78acbfbe23b701
Instruction ID: a412a6886a509289454ec0a11779707912c2163abf26ceb5aa7aba27252b424b
Opcode Fuzzy Hash: 8a00592a762c275b5893ae76db393de0d84adfb84f3eec316e78acbfbe23b701
Instruction Fuzzy Hash: 232128B1D002099FCB10CFAAC8847DEFBF5FF48314F55842AE919A7250C7749945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C51F0, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 073C526B

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8f42bad48f3f7f451dec834d9d4a3bfbd9d5767b4fe60d40e1d0578ee74df411
Instruction ID: 8f3dfe53c389db6b506c7addb987b7b6edd28af4a3e6f7c777c2bfa3687732eb
Opcode Fuzzy Hash: 8f42bad48f3f7f451dec834d9d4a3bfbd9d5767b4fe60d40e1d0578ee74df411
Instruction Fuzzy Hash: BC2106B5D002499FDB10CF9AD484BDEFBF4FB48320F148429E969A7250D378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C51F8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 073C526B

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 138a36595c06a01e2ce65826dc3ac017b1fa5d27ed2bface4997b8cf1da403c0
Instruction ID: d233cbf6c77799f2a75fc71800819eb95f9d5057d1c9087a3df749d2f74049a2
Opcode Fuzzy Hash: 138a36595c06a01e2ce65826dc3ac017b1fa5d27ed2bface4997b8cf1da403c0
Instruction Fuzzy Hash: 8621E7B5D002099FDB10CF9AD484BDEFBF4FB48320F148429E958A7250D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C8330, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 073C83A8

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: d67ad67a8f81372fe10a1f9720b37659d65b369b999ffd469b1e92924c636b44
Instruction ID: 69aee8b57c5db33a79c1f965dcf6e804085b7ae08738f9496c7e5f5ecd02a495
Opcode Fuzzy Hash: d67ad67a8f81372fe10a1f9720b37659d65b369b999ffd469b1e92924c636b44
Instruction Fuzzy Hash: 6E1142B5C0061A9FCB10CF9AD484BDEFBB4FF48320F14812AD818A3200D774AA45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 073CAB08, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073CAB76

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d58adb03b387862eb1ae0e4709fef597ccd71bbd18c7586be27456f3ffc68763
Instruction ID: f2732f39b628699978f8c3c11c35d12e14201453c1276a45dcc7289d786e5dc7
Opcode Fuzzy Hash: d58adb03b387862eb1ae0e4709fef597ccd71bbd18c7586be27456f3ffc68763
Instruction Fuzzy Hash: 6E1137B59002099FDB10DFAAC844BDFFBF5EF48324F148429D519A7250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073CA978, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073CA9E2

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: abe38c9e5da3bc9d3b7615aa8dba5304932442840cb65f991b535126db0e0a6f
Instruction ID: a8f1bb283dc846dff9308ba0e827d00369b49eec3b1198d1eb490cd64f32e157
Opcode Fuzzy Hash: abe38c9e5da3bc9d3b7615aa8dba5304932442840cb65f991b535126db0e0a6f
Instruction Fuzzy Hash: EF1149B1D042498FDB24CFAAC8447EEFBF5EF88214F25882EC419A7200C7759945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C8338, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 073C83A8

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 153687da87bb04d969eb76408e2654adf80ee59a61cb67ded5b167ce58763b8e
Instruction ID: c68324850db50913a5b42548a509a45872ceafa40e28b8c986d625d05f4c2111
Opcode Fuzzy Hash: 153687da87bb04d969eb76408e2654adf80ee59a61cb67ded5b167ce58763b8e
Instruction Fuzzy Hash: 9D1132B5C0061A9BCB10CF9AD844BDEFBF4FB48320F14812AD818B3240C774AA45CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 073CA980, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073CA9E2

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b61380ff00cb756e0f518aa802b70b296e678860f2860fde3fe582e05c1da113
Instruction ID: 9e158b2812030435acc6b5a4254d172c57c0f050af53104e4eb33a8f4e3b2567
Opcode Fuzzy Hash: b61380ff00cb756e0f518aa802b70b296e678860f2860fde3fe582e05c1da113
Instruction Fuzzy Hash: 48113AB1D042498BDB20DFAAC8457DFFBF5EF88224F15842AC519A7240CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073CE768, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 073CE7C5

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c29952ba66810a5005be106bf0bc5f71ee03c13794ca93680b521856b285c822
Instruction ID: 559a4636de1da817d92a26886a536406dd5515fd75016afc97d2a648d224073d
Opcode Fuzzy Hash: c29952ba66810a5005be106bf0bc5f71ee03c13794ca93680b521856b285c822
Instruction Fuzzy Hash: D211E5B58003499FDB20CF9AD885BDEFBF8FB48724F14841AD918A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C80EEC, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32d0486a875b8a3cf2f6ef5fc7d877d99a36fa7bead6d376c5eebc61191e88
Instruction ID: 523ffff8dc6a3cfff0cb6b2c57fd9d6f9ec50ad6c6beac59e1c0211bc3bac020
Opcode Fuzzy Hash: 9d32d0486a875b8a3cf2f6ef5fc7d877d99a36fa7bead6d376c5eebc61191e88
Instruction Fuzzy Hash: EFF05EB0D48245DFD750EFBA88452AA7FF1FF1A305F0A84AED041DB221E3B89609DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04C80E99, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef5afcc358562b8a011e01ddb4b8237082518c91216acc63c7bd1ce84abb29b
Instruction ID: 294d5fe5de48676f61feaddd12afe3b2f88d44eebcdd076617761a01aec48ca5
Opcode Fuzzy Hash: 6ef5afcc358562b8a011e01ddb4b8237082518c91216acc63c7bd1ce84abb29b
Instruction Fuzzy Hash: 60E09230A4060A9FC710CF6AC5526CB7FF2EF05318F74459AD051DB662D739514B8F40

Uniqueness

Uniqueness Score: -1.00%

Function 04C80EA8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc825e78dafcbf1d2bdafab0772db27dd2273797bb3bdc327ef49e3624d69f9
Instruction ID: cb06ff1903cdaab0ae97e788b1deb98278c42ef6328a3b433025bc0ecfc2b1a1
Opcode Fuzzy Hash: bcc825e78dafcbf1d2bdafab0772db27dd2273797bb3bdc327ef49e3624d69f9
Instruction Fuzzy Hash: 70E092B0D44209DFD780EFAAC90565EBBF1BF08204F1588AAD015E7221E7B4A6048F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 073C1CB1, Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

P=]p, xrefs: 073C1D6B
Q!)3, xrefs: 073C1E0C
P=]p, xrefs: 073C1D64
P=]p, xrefs: 073C1D82

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: P=]p$P=]p$P=]p$Q!)3
API String ID: 0-1547165635
Opcode ID: 012a19b3d411d5ecbdd2ab5fce38e56304f32af6235608a6f10976ce27798964
Instruction ID: 5cc2308ac84c89368ddf30a6bf48c52ea7884a822f1a45576099e3120df4edfa
Opcode Fuzzy Hash: 012a19b3d411d5ecbdd2ab5fce38e56304f32af6235608a6f10976ce27798964
Instruction Fuzzy Hash: DD511AB1E1520ACFDB08CFA6C5855AEFBF2BF89300F24C46AC519B7259D3349A418B95

Uniqueness

Uniqueness Score: -1.00%

Function 073C1CC0, Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

P=]p, xrefs: 073C1D6B
Q!)3, xrefs: 073C1E0C
P=]p, xrefs: 073C1D64
P=]p, xrefs: 073C1D82

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: P=]p$P=]p$P=]p$Q!)3
API String ID: 0-1547165635
Opcode ID: 8dc9ca6e969663f096bcfa45d5c9d6cc7f76b745bdc3bd0b581dfa2f30de9260
Instruction ID: b733d3a94eb34fb998a759101061ceabe765138da28fec5d8413497123461da8
Opcode Fuzzy Hash: 8dc9ca6e969663f096bcfa45d5c9d6cc7f76b745bdc3bd0b581dfa2f30de9260
Instruction Fuzzy Hash: FB513CF1E1520ACFDB08CFA6C5845EEFBF6BB89300F24C06AC509B7219D3309A418B95

Uniqueness

Uniqueness Score: -1.00%

Function 073C11A0, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

($, xrefs: 073C1230
($, xrefs: 073C1229

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: ($$($
API String ID: 0-3491525501
Opcode ID: bba86ec9c32df4bf9f3a3e7eeddb8f0ff343621a67fbb08a6525d074928eace4
Instruction ID: 93ae29baa7dd62c699881fb172327695203b4bdfef17aa98974d3e2fafaddac4
Opcode Fuzzy Hash: bba86ec9c32df4bf9f3a3e7eeddb8f0ff343621a67fbb08a6525d074928eace4
Instruction Fuzzy Hash: 1A71D2F4E1420ECFDB04CFD9C5809AEFBB6BF89310F14855AD819A7215D334AA829F95

Uniqueness

Uniqueness Score: -1.00%

Function 073C1190, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

($, xrefs: 073C1230
($, xrefs: 073C1229

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID: ($$($
API String ID: 0-3491525501
Opcode ID: 76f8bb18de3f9b48d06f3a8fd762b7eda3da57623338aff3ef41f54cd71a83a4
Instruction ID: 94b37d293a36493643d2d47b123a30626ac1b3ad764dfded10266e82a638bb1a
Opcode Fuzzy Hash: 76f8bb18de3f9b48d06f3a8fd762b7eda3da57623338aff3ef41f54cd71a83a4
Instruction Fuzzy Hash: AE61E5F4E1420ACFDB14CFD9C4809AEFBB6BF89210F14855AD819A7215D334AA82DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04C80448, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c963e2836eee700ad8d79069cb1b512cef1617066e34987d916c17f8a976d7
Instruction ID: 85c2af24e41eb44cc8ccba4cb02a580bfdd7863fbebdb6e11b186ca493c5e8eb
Opcode Fuzzy Hash: 35c963e2836eee700ad8d79069cb1b512cef1617066e34987d916c17f8a976d7
Instruction Fuzzy Hash: 76D1EE717006548FEB19EB7AC4607AEB3F7AF89708F15846DD145CB291CB34E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C81770, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319d83dec87033044d6ed18f1b1c1a369c34d7cd3ea6ce99b8c45517d6c3d0b8
Instruction ID: e2be9f16187add017f80f41146ccc65b1aee14e6c61192cd1671587cd86ea7ff
Opcode Fuzzy Hash: 319d83dec87033044d6ed18f1b1c1a369c34d7cd3ea6ce99b8c45517d6c3d0b8
Instruction Fuzzy Hash: 64D1C234A001048FDB18DF69C598AEDB7F2BF89715F2980A8E44AEB365DB31AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 073C5C88, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3802baf1ee53092b0b431d803705626b08b6296836c0b1000f4e0482327a9b59
Instruction ID: ad6583ee9b9f43c4a47b0432ec5e97adff03b651f38e4b3ea6224bf39d22cab8
Opcode Fuzzy Hash: 3802baf1ee53092b0b431d803705626b08b6296836c0b1000f4e0482327a9b59
Instruction Fuzzy Hash: 80C118B4E14219CFDB14CFA9C984A9DFBB2FB89304F248169D509AB355DB30AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C5C78, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a86105d0bb40c24b2ba03db719d36db0ab278db0fe760d055bc38cf4755db00
Instruction ID: 849818325320810b959532622547f114e1e7b120f621403d35b270900ec13c3c
Opcode Fuzzy Hash: 1a86105d0bb40c24b2ba03db719d36db0ab278db0fe760d055bc38cf4755db00
Instruction Fuzzy Hash: 83C118B4E14219CFDB14CFA9C984A9DFBB2EF89304F248169D509A7359DB30AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C8518, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9090a189b877db6e5f514efcae32f0a69fc2e1f1196a32cee374b764612fc7
Instruction ID: 31c6985e2f3b91fa89ee09122e3f99a9eff9caa21135cab129d7ff16b4a47ee3
Opcode Fuzzy Hash: af9090a189b877db6e5f514efcae32f0a69fc2e1f1196a32cee374b764612fc7
Instruction Fuzzy Hash: 38B107B4E152598FDB04CFA9C540ADEFBF2BF89300F24C52AD509AB315E7349E418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C8508, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4b456ccbcf9ae70a5507878e8748f5fa130535273d07ea67f9af074c52946
Instruction ID: 1d941777d4e45d5b80e00a684866e3d189eb4a80c7e3d0f771446b0232778286
Opcode Fuzzy Hash: 8bd4b456ccbcf9ae70a5507878e8748f5fa130535273d07ea67f9af074c52946
Instruction Fuzzy Hash: 0AB117B4E152598FDB04CFA9C5819DEFBF2BF89300F24C52AD508AB215E7349E41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 073C89E8, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f1298feb236fee71079842d83047aa9a9e668f2610d0d24deef55f5e05e50d
Instruction ID: e29cbaa3fb33925a8e1dcd62c0797c8599aa2b3e3a0c4b689c223285e7776934
Opcode Fuzzy Hash: 20f1298feb236fee71079842d83047aa9a9e668f2610d0d24deef55f5e05e50d
Instruction Fuzzy Hash: 2A717EB5E1520A9FDB04CFA9C440AEEFBB6FF89310F18D42AD519A7214D7349A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C89F8, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff9f5690a850571f9821ee50fe41f45f0871561d71e9022db76c06386f71c64
Instruction ID: 1fe0fbd3de072d21481b2d6e1038a7763197e04fcd4addba19797de21c8d04a2
Opcode Fuzzy Hash: fff9f5690a850571f9821ee50fe41f45f0871561d71e9022db76c06386f71c64
Instruction Fuzzy Hash: 98616CB4E1520A9FDB04CFA9C541AEEFBF6FF89310F18D429D519A7214D7349A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 073C06C8, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef5f6df1c8e2c352775f20707f903b44a76eda65c7e3c386382cc76331dd14e
Instruction ID: 275822d5a617679970249ae3ba2e4aa6b8996b5f0ca93f1cbd40f09454171022
Opcode Fuzzy Hash: 2ef5f6df1c8e2c352775f20707f903b44a76eda65c7e3c386382cc76331dd14e
Instruction Fuzzy Hash: 0271E3B4E11209DFCB08CFA9D58499DFBF5FF89310F14916AE419AB221D734AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 073C06B9, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2b0e1a4be6065c975484feb9ac56b4c2cb0506067669d909f4f8fe049a8836
Instruction ID: 397a62e8f9f805173bab32bcdd398d6be16b8418606581e46bdef1f3ddd4e37c
Opcode Fuzzy Hash: ae2b0e1a4be6065c975484feb9ac56b4c2cb0506067669d909f4f8fe049a8836
Instruction Fuzzy Hash: A271F374E11209DFCB08CFA9D48099EFBF1FF89310F14856AE419AB221D734AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 073C2978, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f525031ff8b71e1acc1890f53cef45f980af14b1205f70ebca752c32f9cff5
Instruction ID: ce581d5cb15893f7cd5161cfac361a5820581bcac7395c4bd9770ef1f7f89167
Opcode Fuzzy Hash: 78f525031ff8b71e1acc1890f53cef45f980af14b1205f70ebca752c32f9cff5
Instruction Fuzzy Hash: 7061D0B1E146589BEB29CF6BC8543D9FBF3BFC9200F54C1AAC44C96219DB3409868F52

Uniqueness

Uniqueness Score: -1.00%

Function 073C1A70, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42a2ecb35406799da7a1e6c7c0b36c0da9b444da99d1710734864feedb58080
Instruction ID: 76497421eaee3c8228aadf16febacb9ca0dd0bdbd4c8fcd35f89edd372f4b50f
Opcode Fuzzy Hash: f42a2ecb35406799da7a1e6c7c0b36c0da9b444da99d1710734864feedb58080
Instruction Fuzzy Hash: 7E61F2B4E1520A8FDB18CFA9C5819DEFBF2BF89310F28942AD409B7215D7349A51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 073C1A80, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a793d7eb8d8d0ff79c72a0bd4d3ad9b28829635730e158055938a1895d1860de
Instruction ID: 44a74793876104af6105c4d4f2603b8400da1b2dc37b22383b0b2c92bf4c7927
Opcode Fuzzy Hash: a793d7eb8d8d0ff79c72a0bd4d3ad9b28829635730e158055938a1895d1860de
Instruction Fuzzy Hash: 2C61DFB4E1560D8FDB18CFAAC5819DEFBF2BF89210F28902AD409B7215D7349A518F64

Uniqueness

Uniqueness Score: -1.00%

Function 073C8CD8, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23bfec081706067996534733a384a8ef44de85b5d6f0bed2a495a9da34835bd
Instruction ID: bc13cc9f4838f9702a48025c4f6684275b103fa0f7fb63786f6cd4e366114524
Opcode Fuzzy Hash: e23bfec081706067996534733a384a8ef44de85b5d6f0bed2a495a9da34835bd
Instruction Fuzzy Hash: 99517CB0E152599FDB14CF65C980A9EFBB2FF89304F24C1AAD408A7255CB309E41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C29BF, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553246045a0cc8ca3a5341af4ff09fbcd33b95e3e361d8d8a1fe6f8a37caca8a
Instruction ID: bf59791cf9a98c584c5acb0bd2e9a6aa705025e0b272f40516694dcc10f9e27f
Opcode Fuzzy Hash: 553246045a0cc8ca3a5341af4ff09fbcd33b95e3e361d8d8a1fe6f8a37caca8a
Instruction Fuzzy Hash: 2D51ABB1E156598FEB29CF6BC94478AFBF3AFC9200F14C1AAC44CA6215DB3059868F51

Uniqueness

Uniqueness Score: -1.00%

Function 073C1800, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be6670fdcfb8bdb9df260d9131f08c51f23578f730db6b36f28f298df7ab9fd
Instruction ID: eda3c61640570743872f0ad563324730bb5e43a363ae18aa761e09376b692018
Opcode Fuzzy Hash: 6be6670fdcfb8bdb9df260d9131f08c51f23578f730db6b36f28f298df7ab9fd
Instruction Fuzzy Hash: DE511AB0E1920A8FEB04DFA6C5815AEFBF2FF89300F14D46AC419E7259D3749A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 073C1ECA, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30dd2e4075ba4c9f1b67f1d5340eb61a4e6328431e4516160ea3de216e38ab2
Instruction ID: 92f4c07413e549806b239ddec8de22e53078171a51875a5da51c33134a6c02e3
Opcode Fuzzy Hash: b30dd2e4075ba4c9f1b67f1d5340eb61a4e6328431e4516160ea3de216e38ab2
Instruction Fuzzy Hash: 6C512BB4E152198FEB58CF66C944A8EF7B3BF89300F15C1A9D509AB215DB309D81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 073C1810, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77d9b2032ac63b205ff02105096b7783e98bb3144483514c63aebf285abde0e
Instruction ID: b33a26556bf093f12ac373dc0380b5f70db469f06635ee7e6b6cc0988f0f1684
Opcode Fuzzy Hash: c77d9b2032ac63b205ff02105096b7783e98bb3144483514c63aebf285abde0e
Instruction Fuzzy Hash: 275108F0E1820E8BEB04DFA6C5815AEFBF6FF89300F14D46AC419A7219D7349A419F95

Uniqueness

Uniqueness Score: -1.00%

Function 073C8CE8, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8ec0c5f2b34a9c8c993336da69312369b74a92f366114aab9f1e2030c06044
Instruction ID: 7e342395f9f079c7b851fa5fa367b75230e449711221659fb6406fe7c9d31bc2
Opcode Fuzzy Hash: 3d8ec0c5f2b34a9c8c993336da69312369b74a92f366114aab9f1e2030c06044
Instruction Fuzzy Hash: 46515CB4E141198FDB14DF66D980A9EFBB7FB89304F24C16AD408A7255DB309E41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073C5588, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a6a4844fe8cde9e6f90c47e0f9db3a0e9e69cb7a454231359cffa331a5afdf
Instruction ID: 9cacf79ede2761ef61bc5329332e546dad090fbd09d885f0b53e1cf9801c2918
Opcode Fuzzy Hash: b5a6a4844fe8cde9e6f90c47e0f9db3a0e9e69cb7a454231359cffa331a5afdf
Instruction Fuzzy Hash: 89512BB1E15219CFDB14CF69D980B9EFBB2FF89310F2480AAD509AB250DB306E558F51

Uniqueness

Uniqueness Score: -1.00%

Function 073C2A08, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77215a2ade4c768d6242461649a96336095e54124d4f1c6e30c6f7a8b5262c97
Instruction ID: 29181d56e44b6c0c71303219263764e20e87bb4ec8e7716d7d4b9d380a9615bc
Opcode Fuzzy Hash: 77215a2ade4c768d6242461649a96336095e54124d4f1c6e30c6f7a8b5262c97
Instruction Fuzzy Hash: EA515BB5E016188BEB68CF6B8D4479EFAF7BFC9300F14C1BA950CA6225DB3059858F51

Uniqueness

Uniqueness Score: -1.00%

Function 073C5598, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e458d6f9c40de9a540cc836b51a0161a67c843179362102465e6b746368fa3
Instruction ID: e7cf43f651400022e0c37f8404570ca34e2c4e45d1cbb70496f8a01b0e0501fe
Opcode Fuzzy Hash: 82e458d6f9c40de9a540cc836b51a0161a67c843179362102465e6b746368fa3
Instruction Fuzzy Hash: AA412CB1E11619CFDB18CF69C980B9EFBF2BF89300F2480AAD509A7254DB306E518F51

Uniqueness

Uniqueness Score: -1.00%

Function 04C81B98, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbbf3175e107a0f2a5c4ce823b2e569dd41c108d4d2007f6bf9efda8979913c
Instruction ID: 6a0a68dc511da621f15b604fc553110ea89b8fc4834b2604ff86c2fb2d048592
Opcode Fuzzy Hash: 8fbbf3175e107a0f2a5c4ce823b2e569dd41c108d4d2007f6bf9efda8979913c
Instruction Fuzzy Hash: D5119E71D052188FCB059FA9C545BFDBBF1AB4A319F1C946AC042B7280CB389A46CB74

Uniqueness

Uniqueness Score: -1.00%

Function 073C6820, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40963f9669f1d58fee5e2febde27925ed6c4584fe32989c1add1c9d121e411fa
Instruction ID: fe9e4f194fe3763aceb0481e74760e2feecddaa2efe2c81e3c29531cddd26cac
Opcode Fuzzy Hash: 40963f9669f1d58fee5e2febde27925ed6c4584fe32989c1add1c9d121e411fa
Instruction Fuzzy Hash: 6C1106B1E11619DBEB48CFABD941ADEFBF7BBC9200F14C03AD508A7214DB305A458B91

Uniqueness

Uniqueness Score: -1.00%

Function 073C6812, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.676388053.00000000073C0000.00000040.00000001.sdmp, Offset: 073C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2ba8cda613032603c8c658b03d82597c97e6590a095530e8589b4cdec5487a
Instruction ID: bc953516b35d405675eb5d5ea9d5b4b7213a34c4ed36a6233330735693e1db98
Opcode Fuzzy Hash: 0c2ba8cda613032603c8c658b03d82597c97e6590a095530e8589b4cdec5487a
Instruction Fuzzy Hash: 9F2117B0E11619CBEB48CF6AC94169EBBF7AFC9300F14C06AD508A7264DB304A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04C81BA8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.673219209.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f6326966dd4a4d4e2ffde41a1d49490438bd90774ec738b85221215055c474
Instruction ID: 4cf3432d0d3914168a2a7e87c3918fc94f817da65ab1c8c4d7062420ec59e13a
Opcode Fuzzy Hash: e3f6326966dd4a4d4e2ffde41a1d49490438bd90774ec738b85221215055c474
Instruction Fuzzy Hash: 58117C30D042588FDB14DFA6C448BFEBBF2AB4D315F08906AD041B3280DB385A45CB78

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 5888 Parent PID: 7052 Quotation-4834898943949883.pdf.exeCOMMON

Executed Functions

Function 00419FDB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D
NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CreateRead
String ID: BMA$BMA
API String ID: 3388366904-2163208940
Opcode ID: 204a45d00782d7e49f24c3cfe308f0ece679457f0f83d2f6995dd78ebadb3dca
Instruction ID: 8c28fa39cd922ed51b6ce821e73191520e0e149862cf1c60f77432e3bbfd5adb
Opcode Fuzzy Hash: 204a45d00782d7e49f24c3cfe308f0ece679457f0f83d2f6995dd78ebadb3dca
Instruction Fuzzy Hash: 240104B2204108AFDB18DF99DC81EEB73ADEF8C364B158249FA1DD7241C631E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E0041AB30(_t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10D, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 43e3976877f6acb733cfad8a0fd71a054aca6cf59642eaab0f30701187322797
Instruction ID: b1df0341e56abc13da2fd11b8c9212efaaa0d310c3a589dcfcba7ad44039feef
Opcode Fuzzy Hash: 43e3976877f6acb733cfad8a0fd71a054aca6cf59642eaab0f30701187322797
Instruction Fuzzy Hash: C7F015BA210108AFCB14DF89CC90EEB7BADAF88354F158249FE5897241C630E811CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A05A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 36a5a2adc81f27572b341f43fff9e9696f8d3db9fb58b24d8c6830263e7535b3
Instruction ID: d73968bc456d5de9e32f46d5a9da6d88843793c6c8c9b46d3a6e11c3b76ca366
Opcode Fuzzy Hash: 36a5a2adc81f27572b341f43fff9e9696f8d3db9fb58b24d8c6830263e7535b3
Instruction Fuzzy Hash: 46E08C322003046BD710EB94CC45F9B7B68EF44760F044059BA189B282C530FA0087D0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0177986A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
Instruction ID: 2bd5919e88714193f29911616f0508cfeda5cdc7f670760f41842329c17a0e4f
Opcode Fuzzy Hash: 42d680c767fc807cfd26ee6d7e5da497fb3ec73bb266bf45d793f20936cff6ba
Instruction Fuzzy Hash: 2F90027124500417D1217199C504B075009A7D4281F91C422E041455CDD6968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 01779660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0177966A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
Instruction ID: 35da7bba118a46eab94dddfe866e31208d7a045f1d8f16806097141380d41ec2
Opcode Fuzzy Hash: 04cf8c0363711b3f7b3c9913b430aa2ef8eae10354c16a43ecb05125a6fbc56c
Instruction Fuzzy Hash: 2A90027124500806D1907199C404A4A5005A7D5341F91C025E0015658DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 017796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017796EA

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
Instruction ID: 5fc2c1157e5e3468d3fcd5ea2616ea22a04fd49ff419266a686798a928020df1
Opcode Fuzzy Hash: b9b517e35b1c94f1aca79bc310ca0b8a9ed53c8b98d700d182df391e4aaf2bba
Instruction Fuzzy Hash: F890027124508806D1207199C404B4A5005A7D4341F55C421E441465CDC6D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c5ef8e944cab25d8eb143591a8e1e58eaf9dd172324d68f82961ead0c2a810
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 88c5ef8e944cab25d8eb143591a8e1e58eaf9dd172324d68f82961ead0c2a810
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A232, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e582447316f1b9cee09083e8299565e6a480e5b60cda5d434668afffab1275e
Instruction ID: b88e06df42c281104d8e32b0d5231cccc8ba10aacce7b2539e89d65de6efa44e
Opcode Fuzzy Hash: 0e582447316f1b9cee09083e8299565e6a480e5b60cda5d434668afffab1275e
Instruction Fuzzy Hash: FC01B1712002006FDB24DF65CC85FE73B69EF89360F014699FA499B341C630E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0177967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01779694

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
Instruction ID: 8d8b8b9df7de148bfabd18389c0285160d661019b1c164103e54c779b07a4feb
Opcode Fuzzy Hash: e52c5476a837171dc8a978811fbc4c23597294151a432131ad7c373fcd3f6cb1
Instruction Fuzzy Hash: 39B09B719464C5C9DA11E7A48608F17F90077D4755F16C171D2024645B4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017EB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 017EB314
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 017EB2DC
a NULL pointer, xrefs: 017EB4E0
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 017EB53F
*** An Access Violation occurred in %ws:%s, xrefs: 017EB48F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 017EB476
The resource is owned exclusively by thread %p, xrefs: 017EB374
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB38F
The critical section is owned by thread %p., xrefs: 017EB3B9
*** Resource timeout (%p) in %ws:%s, xrefs: 017EB352
This failed because of error %Ix., xrefs: 017EB446
*** enter .exr %p for the exception record, xrefs: 017EB4F1
*** then kb to get the faulting stack, xrefs: 017EB51C
an invalid address, %p, xrefs: 017EB4CF
The instruction at %p referenced memory at %p., xrefs: 017EB432
*** enter .cxr %p for the context, xrefs: 017EB50D
read from, xrefs: 017EB4AD, 017EB4B2
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017EB3D6
The instruction at %p tried to %s , xrefs: 017EB4B6
*** Inpage error in %ws:%s, xrefs: 017EB418
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 017EB323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 017EB305
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 017EB47D
The resource is owned shared by %d threads, xrefs: 017EB37E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 017EB2F3
<unknown>, xrefs: 017EB27E, 017EB2D1, 017EB350, 017EB399, 017EB417, 017EB48E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 017EB39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 017EB484
Go determine why that thread has not released the critical section., xrefs: 017EB3C5
write to, xrefs: 017EB4A6

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
Instruction ID: 2078786cc64fa6bc0757e2697b06f268a654d40d79fd040114afe7d949142c38
Opcode Fuzzy Hash: ffbb633c31583176b958083514b74cd13b4826a55fd77658c977be8cf3e48d4d
Instruction Fuzzy Hash: 4D8106B5A40220FFDB316A8ACC5ED7BFFA5EF5AB51F40408CF5046B116D2629492C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 017F1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E017F1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17148a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x182589c);
				E0173B150("Heap error detected at %p (heap handle %p)\n",  *0x18258a0);
				_t27 =  *0x1825898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M017F1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0173B150("Error code: %d - %s\n",  *0x1825898);
				_t113 =  *0x18258a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter1: %p\n",  *0x18258a4);
				}
				_t115 =  *0x18258a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter2: %p\n",  *0x18258a8);
				}
				_t117 =  *0x18258ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0173B150("Parameter3: %p\n",  *0x18258ac);
				}
				_t119 =  *0x18258b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0173B150();
					} else {
						E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18258b4);
					E0173B150("Last known valid blocks: before - %p, after - %p\n",  *0x18258b0);
				} else {
					_t120 =  *0x18258b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0173B150();
				} else {
					E0173B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0173B150("Stack trace available at %p\n", 0x18258c0);
			}

0x017f1c10
0x017f1c16
0x017f1c1e
0x017f1c3d
0x017f1c3e
0x017f1c20
0x017f1c35
0x017f1c3a
0x017f1c44
0x017f1c55
0x017f1c5a
0x017f1c65
0x017f1c67
0x00000000
0x017f1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x017f1c67
0x017f1cdc
0x017f1ce5
0x017f1d04
0x017f1d05
0x017f1ce7
0x017f1cfc
0x017f1d01
0x017f1d0b
0x017f1d17
0x017f1d1f
0x017f1d25
0x017f1d30
0x017f1d4f
0x017f1d50
0x017f1d32
0x017f1d47
0x017f1d4c
0x017f1d61
0x017f1d67
0x017f1d68
0x017f1d6e
0x017f1d79
0x017f1d98
0x017f1d99
0x017f1d7b
0x017f1d90
0x017f1d95
0x017f1daa
0x017f1db0
0x017f1db1
0x017f1db7
0x017f1dc2
0x017f1de1
0x017f1de2
0x017f1dc4
0x017f1dd9
0x017f1dde
0x017f1df3
0x017f1df9
0x017f1dfa
0x017f1e00
0x017f1e0a
0x017f1e13
0x017f1e32
0x017f1e33
0x017f1e15
0x017f1e2a
0x017f1e2f
0x017f1e39
0x017f1e4a
0x017f1e02
0x017f1e02
0x017f1e08
0x00000000
0x00000000
0x017f1e08
0x017f1e5b
0x017f1e7a
0x017f1e7b
0x017f1e5d
0x017f1e72
0x017f1e77
0x017f1e95

Strings

heap_failure_multiple_entries_corruption, xrefs: 017F1C8A
Last known valid blocks: before - %p, after - %p, xrefs: 017F1E45
HEAP[%wZ]: , xrefs: 017F1C30, 017F1CF7, 017F1D42, 017F1D8B, 017F1DD4, 017F1E25, 017F1E6D
HEAP: , xrefs: 017F1C16, 017F1C3D, 017F1D04, 017F1D4F, 017F1D98, 017F1DE1, 017F1E32, 017F1E7A
heap_failure_unknown, xrefs: 017F1C75
Parameter1: %p, xrefs: 017F1D5C
heap_failure_block_not_busy, xrefs: 017F1CA6
heap_failure_buffer_overrun, xrefs: 017F1C98
Parameter3: %p, xrefs: 017F1DEE
heap_failure_listentry_corruption, xrefs: 017F1CD0
heap_failure_virtual_block_corruption, xrefs: 017F1C91
Error code: %d - %s, xrefs: 017F1D12
Stack trace available at %p, xrefs: 017F1E86
heap_failure_invalid_argument, xrefs: 017F1CAD
heap_failure_generic, xrefs: 017F1C7C
heap_failure_lfh_bitmap_mismatch, xrefs: 017F1CD7
heap_failure_internal, xrefs: 017F1C6E
Heap error detected at %p (heap handle %p), xrefs: 017F1C50
heap_failure_entry_corruption, xrefs: 017F1C83
Parameter2: %p, xrefs: 017F1DA5
heap_failure_freelists_corruption, xrefs: 017F1CC9
heap_failure_buffer_underrun, xrefs: 017F1C9F
heap_failure_invalid_allocation_type, xrefs: 017F1CB4
heap_failure_cross_heap_operation, xrefs: 017F1CC2
heap_failure_usage_after_free, xrefs: 017F1CBB

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
Instruction ID: 5757da4b58ecb61db55a2815a4b5d42cc65b3a056331bd264293c403ad5461a6
Opcode Fuzzy Hash: d44620f31007172ead41c45aaaf57e7be9c68bb6f01141b018e0e4cab8a43839
Instruction Fuzzy Hash: 6F61D473554155DFD221AB8DD498E36F3A4EB04A30F4980BFFB095B345DAB49982CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 0176C9BF, Relevance: 14.2, Strings: 11, Instructions: 412
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0176C9BF(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a12) {
				signed int _v12;
				char _v552;
				char _v1072;
				char _v1073;
				signed int _v1080;
				signed int _v1084;
				signed short _v1088;
				signed int _v1092;
				signed short _v1094;
				char _v1096;
				char _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				char _v1112;
				char _v1116;
				signed short _v1120;
				char _v1124;
				char* _v1128;
				char _v1132;
				char _v1135;
				char _v1136;
				signed int _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				signed int _v1156;
				char* _v1160;
				char _v1164;
				signed int _v1168;
				signed int _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				intOrPtr _v1196;
				char* _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				void* _t184;
				signed short _t188;
				char _t199;
				intOrPtr _t200;
				signed int _t205;
				signed int _t207;
				intOrPtr _t218;
				short _t219;
				char _t236;
				char _t242;
				signed int _t253;
				intOrPtr _t258;
				void* _t260;
				signed int _t272;
				void* _t276;
				unsigned int _t277;
				signed short _t279;
				signed int _t280;
				void* _t281;
				void* _t305;

				_t271 = __edx;
				_v12 =  *0x182d360 ^ _t280;
				_t253 = _a4;
				_v1104 = _a12;
				_t272 = __ecx;
				_v1160 =  &_v1072;
				_v1168 = __ecx;
				_t166 = 0;
				_v1073 = 0;
				_v1084 = 0;
				_t274 = 0;
				_v1156 = 0;
				_v1164 = 0x2080000;
				_v1096 = 0;
				_v1092 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1100 = 0;
				if(__ecx == 0) {
					L67:
					_push(_t166);
					_push(_t253);
					_push(_t271);
					_push(_t272);
					E017C5720(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t274 = 0xc000000d;
					L21:
					if(_v1073 == 0) {
						L23:
						if(_v1092 != 0) {
							E0173AD30(_v1092);
						}
						L24:
						if(_v1084 != 0) {
							_push(_v1084);
							E017795D0();
						}
						_t170 = _v1156;
						if(_v1156 != 0) {
							L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t170);
						}
						L26:
						return E0177B640(_t274, _t253, _v12 ^ _t280, _t271, _t272, _t274);
					}
					L22:
					_v1144 = _v1100;
					E0176CCC0(4,  &_v1144, _v1104);
					goto L23;
				}
				if(__edx == 0 || _t253 < 1 || _t253 >  *((intOrPtr*)(__ecx + 4))) {
					_t166 =  *((intOrPtr*)(_t272 + 4));
					goto L67;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t253 * 4)) != 0) {
						goto L26;
					}
					asm("lfence");
					_t258 =  *((intOrPtr*)(__edx + 0x18));
					_t260 =  *((intOrPtr*)(_t258 + __edx + 0x10)) + __edx;
					_t276 =  *((intOrPtr*)(_t253 * 0x18 +  *((intOrPtr*)(_t258 + __edx + 0xc)) + __edx + 0x10)) + __edx;
					_t181 =  *((intOrPtr*)(_t276 + 0x50));
					if( *((intOrPtr*)(_t276 + 0x50)) > 0xfffe) {
						_push(__edx);
						E017C5720(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t181);
						_t274 = 0xc0000106;
						goto L23;
					}
					if(( *(_t276 + 4) & 0x00000010) != 0) {
						_v1080 =  &_v1164;
						_t272 =  *((intOrPtr*)(_t276 + 0x18)) + _t260;
						if(_t272 != 0) {
							_t184 = L017813D0(_t272, 0x5c);
							if(_t184 != 0) {
								_t188 = 0x00000004 + (_t184 - _t272 >> 0x00000001) * 0x00000002 & 0x0000ffff;
								_v1088 = _t188;
								_t277 = _t188 & 0x0000ffff;
								if(_t188 <= 0x208) {
									_t264 = _v1080;
									L39:
									E0177F3E0( *((intOrPtr*)(_t264 + 4)), _t272, _t277 - 2);
									_t281 = _t281 + 0xc;
									 *((short*)( *((intOrPtr*)(_v1080 + 4)) + (_t277 >> 1) * 2 - 2)) = 0;
									 *_v1080 = _v1088 + 0xfffffffe;
									L18:
									if(_v1084 == 0) {
										if(E01746A00( *((intOrPtr*)(_v1080 + 4)),  &_v1112, 0,  &_v1184) != 0) {
											_v1156 = _v1108;
											_t199 = _v1184;
											if(_t199 == 0) {
												_t200 = 0;
											} else {
												_v1112 = _t199;
												_v1108 = _v1180;
												_t200 = _v1176;
											}
											_v1192 = _v1192 & 0x00000000;
											_v1188 = _v1188 & 0x00000000;
											_v1204 = _t200;
											_push(0x21);
											_v1200 =  &_v1112;
											_push(3);
											_push( &_v1216);
											_v1208 = 0x18;
											_push( &_v1208);
											_push(0x100020);
											_v1196 = 0x40;
											_push( &_v1084);
											_t205 = E01779830();
											_t272 = _v1172;
											_t274 = _t205;
											if(_t272 != 0) {
												asm("lock xadd [edi], eax");
												if((_t205 | 0xffffffff) == 0) {
													_push( *((intOrPtr*)(_t272 + 4)));
													E017795D0();
													L017577F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
												}
											}
											if(_t274 >= 0) {
												goto L19;
											} else {
												_push(_t274);
												E017C5720(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n",  *((intOrPtr*)(_v1080 + 4)));
												goto L21;
											}
										}
										E017C5720(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n",  *((intOrPtr*)(_v1080 + 4)));
										_t274 = 0xc000003a;
										goto L21;
									}
									L19:
									_t271 = _t253;
									_t207 = E0176CE6C(_v1168, _t253, _v1080,  &_v1084);
									_t274 = _t207;
									if(_t207 < 0) {
										E017C5720(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t274);
									} else {
										_t274 = 0;
									}
									goto L21;
								}
								_v1094 = _t188;
								_t218 = E01753A1C(_t277);
								_v1092 = _t218;
								if(_t218 != 0) {
									_t264 =  &_v1096;
									_v1080 =  &_v1096;
									goto L39;
								}
								_t274 = 0xc0000017;
								goto L24;
							}
							_t274 = 0xc00000e5;
							goto L23;
						}
						_t274 = 0xc00000e5;
						goto L26;
					}
					_v1080 = _v1080 & 0x00000000;
					_t219 =  *((intOrPtr*)(_t276 + 0x50));
					_v1152 = _t219;
					_v1150 = _t219;
					_v1144 = __edx;
					_v1148 =  *((intOrPtr*)(_t276 + 0x54)) + _t260;
					_v1140 = _t253;
					_v1128 =  &_v552;
					_v1136 = 0;
					_v1132 = 0x2160000;
					_v1124 = 0;
					_v1116 = 0;
					_v1120 = 0;
					E0176CCC0(1,  &_v1144, _v1104);
					if(_v1116 != 0) {
						_t274 = 0xc0000120;
						goto L23;
					}
					if(_v1124 != 0) {
						_t271 =  &_v1132;
						_t274 = E0176CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 >= 0) {
							_t271 = _t253;
							_t274 = E0176CE6C(_t272, _t253,  &_v1132,  &_v1084);
							if(_t274 < 0) {
								_push(_t274);
								_push(_t253);
								_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
								L44:
								_push(0);
								_push(0x33);
								E017C5720();
								goto L23;
							}
							_t274 = 0;
							goto L23;
						}
						_push(_t274);
						_push( &_v1132);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L44;
					}
					_t279 = _v1120;
					_t272 = 0;
					_t236 = _v1136;
					_v1100 = _t236;
					_v1088 = _t279;
					_v1073 = 1;
					if(_t279 == 0) {
						L16:
						_t305 = _t272 - _t279;
						L17:
						if(_t305 == 0) {
							L54:
							_push(_t272);
							E017C5720(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t274 = 0xc0150004;
							goto L22;
						}
						goto L18;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1144 = _t236;
						_v1128 =  &_v552;
						_v1140 = _t272;
						_v1132 = 0x2160000;
						_v1136 = 0;
						E0176CCC0(2,  &_v1144, _v1104);
						if(_v1136 != 0) {
							break;
						}
						_t242 = _v1132;
						if(_v1135 != 0) {
							if(_t242 == 0) {
								goto L54;
							}
							_t119 = _t272 + 1; // 0x1
							_t279 = _t119;
							_v1088 = _t279;
						}
						if(_t242 == 0) {
							L27:
							_t272 = _t272 + 1;
							if(_t272 >= _t279) {
								goto L17;
							} else {
								_t236 = _v1100;
								continue;
							}
						}
						if(_v1084 != 0) {
							_push(_v1084);
							E017795D0();
							_v1084 = _v1084 & 0x00000000;
						}
						_t271 =  &_v1132;
						_t274 = E0176CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 < 0) {
							if(_t274 != 0xc0150004) {
								_push(_t274);
								_push( &_v1152);
								E017C5720(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1132);
								goto L22;
							}
							_t279 = _v1088;
							goto L27;
						} else {
							_t279 = _v1088;
							goto L16;
						}
					}
					_t274 = 0xc0000120;
					goto L22;
				}
			}

0x0176c9bf
0x0176c9d1
0x0176c9d8
0x0176c9dc
0x0176c9e9
0x0176c9eb
0x0176c9f3
0x0176c9f9
0x0176c9fb
0x0176ca01
0x0176ca07
0x0176ca09
0x0176ca0f
0x0176ca19
0x0176ca1f
0x0176ca25
0x0176ca2b
0x0176ca31
0x0176ca39
0x017aac23
0x017aac23
0x017aac24
0x017aac25
0x017aac26
0x017aac34
0x017aac3c
0x0176cc3c
0x0176cc43
0x0176cc65
0x0176cc6c
0x017aac4c
0x017aac4c
0x0176cc72
0x0176cc79
0x017aac56
0x017aac5c
0x017aac5c
0x0176cc7f
0x0176cc87
0x017aac72
0x017aac72
0x0176cc8d
0x0176cc9f
0x0176cc9f
0x0176cc45
0x0176cc51
0x0176cc60
0x00000000
0x0176cc60
0x0176ca41
0x017aac20
0x00000000
0x0176ca59
0x0176ca5f
0x00000000
0x00000000
0x0176ca65
0x0176ca68
0x0176ca76
0x0176ca7c
0x0176ca7e
0x0176ca86
0x017aa8ea
0x017aa8f5
0x017aa8fd
0x00000000
0x017aa8fd
0x0176ca90
0x017aa90d
0x017aa916
0x017aa918
0x017aa927
0x017aa930
0x017aa94c
0x017aa94f
0x017aa955
0x017aa95b
0x017aa98c
0x017aa992
0x017aa99a
0x017aa9a9
0x017aa9af
0x017aa9c3
0x0176cc09
0x0176cc10
0x017aab03
0x017aab2f
0x017aab35
0x017aab3e
0x017aab5a
0x017aab40
0x017aab40
0x017aab4c
0x017aab52
0x017aab52
0x017aab5c
0x017aab63
0x017aab6a
0x017aab76
0x017aab78
0x017aab84
0x017aab86
0x017aab8d
0x017aab97
0x017aab98
0x017aaba3
0x017aabad
0x017aabae
0x017aabb3
0x017aabb9
0x017aabbd
0x017aabc2
0x017aabc6
0x017aabc8
0x017aabcb
0x017aabdc
0x017aabdc
0x017aabc6
0x017aabe3
0x00000000
0x017aabe9
0x017aabef
0x017aabfc
0x00000000
0x017aac01
0x017aabe3
0x017aab17
0x017aab1f
0x00000000
0x017aab1f
0x0176cc16
0x0176cc29
0x0176cc2b
0x0176cc30
0x0176cc34
0x017aac13
0x0176cc3a
0x0176cc3a
0x0176cc3a
0x00000000
0x0176cc34
0x017aa95e
0x017aa965
0x017aa96a
0x017aa972
0x017aa97e
0x017aa984
0x00000000
0x017aa984
0x017aa974
0x00000000
0x017aa974
0x017aa932
0x00000000
0x017aa932
0x017aa91a
0x00000000
0x017aa91a
0x0176ca96
0x0176ca9d
0x0176caa7
0x0176caae
0x0176caba
0x0176cac0
0x0176cace
0x0176cad4
0x0176cae3
0x0176cae9
0x0176caf3
0x0176caf9
0x0176caff
0x0176cb05
0x0176cb11
0x017aa9cb
0x00000000
0x017aa9cb
0x0176cb1e
0x017aa9f8
0x017aaa03
0x017aaa07
0x017aaa36
0x017aaa47
0x017aaa4b
0x017aaa18
0x017aaa19
0x017aaa1a
0x017aaa1f
0x017aaa1f
0x017aaa21
0x017aaa23
0x00000000
0x017aaa28
0x017aaa4d
0x00000000
0x017aaa4d
0x017aaa09
0x017aaa10
0x017aaa11
0x00000000
0x017aaa11
0x0176cb24
0x0176cb2a
0x0176cb2c
0x0176cb32
0x0176cb38
0x0176cb3e
0x0176cb47
0x0176cc01
0x0176cc01
0x0176cc03
0x0176cc03
0x017aaac0
0x017aaac0
0x017aaad1
0x017aaad9
0x00000000
0x017aaad9
0x00000000
0x00000000
0x00000000
0x00000000
0x0176cb4d
0x0176cb4d
0x0176cb53
0x0176cb5f
0x0176cb6e
0x0176cb74
0x0176cb7e
0x0176cb87
0x0176cb93
0x00000000
0x00000000
0x0176cba0
0x0176cba7
0x017aaa57
0x00000000
0x00000000
0x017aaa59
0x017aaa59
0x017aaa5c
0x017aaa5c
0x0176cbb0
0x0176cca2
0x0176cca2
0x0176cca5
0x00000000
0x0176ccab
0x0176ccab
0x00000000
0x0176ccab
0x0176cca5
0x0176cbbd
0x017aaa67
0x017aaa6d
0x017aaa72
0x017aaa72
0x0176cbe6
0x0176cbf1
0x0176cbf5
0x017aaa84
0x017aaa91
0x017aaa98
0x017aaaa9
0x00000000
0x017aaaae
0x017aaa86
0x00000000
0x0176cbfb
0x0176cbfb
0x00000000
0x0176cbfb
0x0176cbf5
0x017aaab6
0x00000000
0x017aaab6

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017AABF3
RtlpResolveAssemblyStorageMapEntry, xrefs: 017AAC27
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 017AAA11
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017AA8EC
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017AAAC8
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 017AAC2C
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 017AAC0A
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 017AAAA0
@, xrefs: 017AABA3
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 017AAB0E
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 017AAA1A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: adeffb7b736f1b2266c6fe376210b74a6d8569c10cec37ffd7f98706c03acfc9
Instruction ID: 6522ca57fa22575a34e6c5bf038a77fe97755e7261db6cd17e8fdeaee4a66486
Opcode Fuzzy Hash: adeffb7b736f1b2266c6fe376210b74a6d8569c10cec37ffd7f98706c03acfc9
Instruction Fuzzy Hash: 48026FF1D002299BDB32DB14CD84BAAF7B8AF54704F4041EAEA49A7241DB319F84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 017F4AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMON

Download Yara Rule

Strings

Heap block at %p is not last block in segment (%p), xrefs: 017F4FD6
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 017F50C6
Free Heap block %p modified at %p after it was freed, xrefs: 017F4F2F
Heap block at %p has incorrect segment offset (%x), xrefs: 017F503B
HEAP[%wZ]: , xrefs: 017F4EE1, 017F4F0D, 017F4F5D, 017F4FBA, 017F501D, 017F5061, 017F50FA
HEAP: , xrefs: 017F4F1A, 017F4F6A, 017F4FC7, 017F502A, 017F506E, 017F50B6, 017F5107
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 017F4F81
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 017F5119
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 017F508C

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: df918a1ef34c7ac611a221b15c65868d120b2323fcee216eb3cb49999a1c7cc1
Instruction ID: 595a051d8a3ebd7b46012d75e01b4de027e8e288c876164dd452aa53e0df15a1
Opcode Fuzzy Hash: df918a1ef34c7ac611a221b15c65868d120b2323fcee216eb3cb49999a1c7cc1
Instruction Fuzzy Hash: 7F12AD702006429FD725CF29C498BBBFBF1EF48614F18845DE6868B782D774E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F4496, Relevance: 10.4, Strings: 8, Instructions: 417COMMON

Download Yara Rule

Strings

Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 017F4992
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 017F47E2
dedicated (%04Ix) free list element %p is marked busy, xrefs: 017F46CF
HEAP[%wZ]: , xrefs: 017F4652, 017F46B3, 017F47C6, 017F4851, 017F4917, 017F496B
HEAP: , xrefs: 017F465F, 017F46C0, 017F47D3, 017F485E, 017F4924, 017F4978
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 017F486F
Non-Dedicated free list element %p is out of order, xrefs: 017F466B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 017F493D

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 4185e74cdcd74ad64df25b706465194471498b586ea59bd3163c7cf6a16048bf
Instruction ID: efeb094427545e5bea63fa64ad0773185ccd7be7ae4e2e573003e42ab40cfb79
Opcode Fuzzy Hash: 4185e74cdcd74ad64df25b706465194471498b586ea59bd3163c7cf6a16048bf
Instruction Fuzzy Hash: 83F10D71600646EFDB21CB69C488BABFBF5FF49314F14806EE2469B742D770AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0176CF6A, Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017AAF46
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 017AAFCE
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 017AAFD3
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 017AAE56
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 017AAE87
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 017AAEB8
@, xrefs: 0176D16E

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-541586583
Opcode ID: 81b0b4f10cc62829e712603398bcbd0b77030cc2408459253c52160ce2374ae7
Instruction ID: 71b84feb26d8fdda0f0e20618f845d14cc768e22a66bd9a5d4217bc6f73cd1d4
Opcode Fuzzy Hash: 81b0b4f10cc62829e712603398bcbd0b77030cc2408459253c52160ce2374ae7
Instruction Fuzzy Hash: A4C1C371A01229DFDB349F59CC88BAAF7B8EF98710F1541D9E948AB290D7309E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0175A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

(UCRBlock != NULL), xrefs: 017A1EA0
HEAP[%wZ]: , xrefs: 017A1E88, 017A1F71, 017A2124, 017A225C
HEAP: , xrefs: 017A1E95, 017A1F7E, 017A2131, 017A2269
(!TrailingUCR), xrefs: 017A2274
((LONG)FreeEntry->Size > 1), xrefs: 017A1F89
(LONG)FreeEntry->Size > 1, xrefs: 017A213C

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 577c6671f3ce052fc5eae3e3c65ae6e3a455c2d22a2aecc9e0893596235a3022
Instruction ID: d12f00f31091de6fac26e8e6db6560d53346f24f1a960eab2bdfde4d69a63771
Opcode Fuzzy Hash: 577c6671f3ce052fc5eae3e3c65ae6e3a455c2d22a2aecc9e0893596235a3022
Instruction Fuzzy Hash: 0F4202316083829FD755CF28C488B2AFBE5FF98204F544A6DF9868B352D7B4D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017F2D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017F305E
HEAP[%wZ]: , xrefs: 017F2F3E, 017F2FEB, 017F3042
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 017F3015
HEAP: , xrefs: 017F2F4B, 017F2FF8, 017F304F
RtlAllocateHeap, xrefs: 017F2DCA
Just allocated block at %p for %Ix bytes, xrefs: 017F2F5F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: ba613a62adf6dfcf23a8a3a6e189291bb319f70e5549b8aa3e6180a9a8ee9cb4
Instruction ID: c747b983349ebe62990eee6233069bab7350d7cb233fa17b1251fea84c60f122
Opcode Fuzzy Hash: ba613a62adf6dfcf23a8a3a6e189291bb319f70e5549b8aa3e6180a9a8ee9cb4
Instruction Fuzzy Hash: 7491E231610645DFDB26DF68C458AAEFBF2FF49710F18805EE6465B396C7329942CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0176CCC0, Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

\WinSxS\, xrefs: 0176CDF3
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 017AAD9C
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 017AAD78
.Local\, xrefs: 0176CD61
@, xrefs: 0176CE1D
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 017AAD06

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: 46d3745908c348ed4c9d2360a13851bb57ccba8ed02a07a9488dde95d8065732
Instruction ID: 7804f0533e9b3777554ff3347df5b43d5d1881dec9a89ec00bfecaf60e1e03d6
Opcode Fuzzy Hash: 46d3745908c348ed4c9d2360a13851bb57ccba8ed02a07a9488dde95d8065732
Instruction Fuzzy Hash: F581DE716053419FDB12DF28C884A2BFBE8BF95700F44895EFD859B245D370D984CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01752430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 0179D3CC
Internal error check failed, xrefs: 0179D3DB
, xrefs: 017524E4
minkernel\ntdll\sxsisol.cpp, xrefs: 0179D3D6
, xrefs: 017524C0

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: e7483dd2f19f65f59cee551e0b52511a7573417e7ece8c02b5a20b988520657f
Instruction ID: e6241e92c06dbd9d0de2b33f8db091e90f8256ac329ab2d358e8f61888c6d113
Opcode Fuzzy Hash: e7483dd2f19f65f59cee551e0b52511a7573417e7ece8c02b5a20b988520657f
Instruction Fuzzy Hash: 37029D71508341CBD761DF68C0447ABFBE0BF88714F14495EEE9997252E7B0D948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01743D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 01743F70
Kernel-MUI-Language-Allowed, xrefs: 01743DC0
Kernel-MUI-Number-Allowed, xrefs: 01743D8C
Kernel-MUI-Language-Disallowed, xrefs: 01743E97
WindowsExcludedProcs, xrefs: 01743D6F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
Instruction ID: d1f31bb76dbe9834f44f0f0df657eadcf852884b31d85cb3cb7b7d78ab7f2805
Opcode Fuzzy Hash: c9237cda180747c03c2569e7a721f07b48d36f333c8f1302087928c9ecc04a2d
Instruction Fuzzy Hash: 27F15E72D00619EFCF11DF98D984AEEFBB9FF09650F1400AAE906A7214D7749E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017340E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 01790458
HEAP[%wZ]: , xrefs: 0179043F
HEAP: , xrefs: 0179044C
, passed to %s, xrefs: 01790469
RtlAllocateHeap, xrefs: 01790468

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 1ded857ed9d0d3c3003a863db4f388c941dc894f0210aca9ac1590e99d7ea439
Instruction ID: abf66e9ac807fad8d6d4072524a54b4c26c87520e1d27e2c3dceddfe16d55c58
Opcode Fuzzy Hash: 1ded857ed9d0d3c3003a863db4f388c941dc894f0210aca9ac1590e99d7ea439
Instruction Fuzzy Hash: 12014C72111241AFD33A9B6DF45DF56F7A8DB81F30F28806FF00547656CAE49444C610

Uniqueness

Uniqueness Score: -1.00%

Function 0175A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 017A22F3
HEAP[%wZ]: , xrefs: 017A22D7, 017A23E7
HEAP: , xrefs: 017A22E6, 017A23F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 017A2403

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 8dd0490bea1ae90e30cc250e1549207350061ebc5afac1460dcb377a0f8fa4f3
Instruction ID: da11ba38aa4dc0cfda224fc701e0320f6bd84a9d54260fc8bbdc96172f4fa065
Opcode Fuzzy Hash: 8dd0490bea1ae90e30cc250e1549207350061ebc5afac1460dcb377a0f8fa4f3
Instruction Fuzzy Hash: 1DD1BF74A002468FDB59CF68C490BBAFBF1FF88300F1586B9D95A9B346E370A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 017A1DF9
HEAP[%wZ]: , xrefs: 017A1DD7
HEAP: , xrefs: 017A1DE4
`, xrefs: 017A1C8D

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: e6166e7dae57133132f31ceea6ecd3ec2ebebfd059ee9d07e8f19691412272e4
Instruction ID: a392878963e44cf9bbb9017fb6d365f572458d855cda1d6580c1e9435e9b6184
Opcode Fuzzy Hash: e6166e7dae57133132f31ceea6ecd3ec2ebebfd059ee9d07e8f19691412272e4
Instruction Fuzzy Hash: ED5106322056819FE722DB68C849F67FBE8FFC0750F580668F9558B292D7B4D940CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017F49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017F4A3D, 017F4AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 017F4A61
HEAP: , xrefs: 017F4A4A, 017F4A5D, 017F4A5F, 017F4AC4
This is located in the %s field of the heap header., xrefs: 017F4AD6

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 24af9a584fcf4465a31363251a244ed682f8db9a4074eec18387d0d5adc79be3
Instruction ID: 1ad4c9ac65d2864e93bee317f66e9ec9cc2509fac32fe1d81aa3343708e1e264
Opcode Fuzzy Hash: 24af9a584fcf4465a31363251a244ed682f8db9a4074eec18387d0d5adc79be3
Instruction Fuzzy Hash: 70311476200110EFD721DF6DC889F6BF7E8EF04624F14419EF6068B355E674AA48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 017F3518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017F3548
HEAP: , xrefs: 017F3555
May not destroy the process heap at %p, xrefs: 017F3561
RtlDestroyHeap, xrefs: 017F3571

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 814bf4f5b45d71e5acf015bad3c2121658bff2b286ff00fb791e52ea2e95071e
Instruction ID: 5fc914f7c15f077a2284d30c22a2b928d190b1ee27f49f9c30f409d561104bb6
Opcode Fuzzy Hash: 814bf4f5b45d71e5acf015bad3c2121658bff2b286ff00fb791e52ea2e95071e
Instruction Fuzzy Hash: FC01D6761106049FCB25EB7D848CFABF7E8FBC1A10F1084AEF5069B346DA74E944C664

Uniqueness

Uniqueness Score: -1.00%

Function 017599BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017A1550, 017A1617, 017A17BC, 017A1905
HEAP: , xrefs: 017A155D, 017A1624, 017A17C9, 017A1912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 017A1572, 017A1639, 017A17DE, 017A1927

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e152e571aabc652b9aa75c5220b43c17013ea5e8585fd3e66b394d00bd2d1091
Instruction ID: f36826c97a9baa9a49b80f167791ba67a886e260409951efcf6d06d89055e77a
Opcode Fuzzy Hash: e152e571aabc652b9aa75c5220b43c17013ea5e8585fd3e66b394d00bd2d1091
Instruction Fuzzy Hash: AF22F5706002429FEB25CF2CC494B7AFBF5EF84704F6886A9E9858B346E771D981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175B477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017A2973
HEAP: , xrefs: 017A2980
(UCRBlock->Size >= *Size), xrefs: 017A298B

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 91ede0918c8ae50f5c86eb91e1528283e92418097ef9a887979e18de702d3fa2
Instruction ID: 7d50917273e94c554bc682dc0c67e8314cb00fb93a26485813d0a65568bdf088
Opcode Fuzzy Hash: 91ede0918c8ae50f5c86eb91e1528283e92418097ef9a887979e18de702d3fa2
Instruction Fuzzy Hash: 57E1AF70600245DFDB19CF68C894B7AFBB6FF84704F2481A9E9069B392D770E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01738239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 01792F2C
UseFilter, xrefs: 01738263
\??\, xrefs: 01792E2A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: dea0c39d83b788368bab7310d2a952978a026d05a920cc7e3c4b71faf5b2beb8
Instruction ID: a110ec83d42d25f76b9a961c37eedb5805bddab7e356fc2fe1099c8d5448a195
Opcode Fuzzy Hash: dea0c39d83b788368bab7310d2a952978a026d05a920cc7e3c4b71faf5b2beb8
Instruction Fuzzy Hash: 95A16D319016299BDF31DF68DC88BAAF7B9EF44714F1002E9EA09A7251D7359E88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0176AC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017AA0AD
HEAP: , xrefs: 017AA0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 017AA0CD

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: fc1b2047290602ee07d63750ab016fb5909d470092273b4d9da30657bfd33d60
Instruction ID: 38582967547dde2e063da71dc51ecf8f1aa8c6dad7e86199b929692cfdbe5417
Opcode Fuzzy Hash: fc1b2047290602ee07d63750ab016fb5909d470092273b4d9da30657bfd33d60
Instruction Fuzzy Hash: B181F431240684EFE726CB6CC898FAAFBF8FF45714F0441A5EA5197696D774E980CB10

Uniqueness

Uniqueness Score: -1.00%

Function 017E23E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 017E256F
HEAP[%wZ]: , xrefs: 017E254F
HEAP: , xrefs: 017E255C

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 55a1271489989a566195193c52c8d3b1906bee5beed36f3db94a919e0e7bebdd
Instruction ID: 9f3a28d1e169a0412906048432d1627804c2c7720ba813ec647ffef190988106
Opcode Fuzzy Hash: 55a1271489989a566195193c52c8d3b1906bee5beed36f3db94a919e0e7bebdd
Instruction Fuzzy Hash: 505125752002509AE375CE1EC85C772FBF9DB4E644F2488DAE8C28B287D275DC42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0175EB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017A42A2
HEAP: , xrefs: 017A42AF
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 017A42BA

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: a9f5bf7c3c2698cabd7921a63a822dae385af47e6d2c8351edf17627a41cb1f1
Instruction ID: 5b56836c5c9bb7a2dd022c3e5cf38851e729ac513bb47277d22be5389e207165
Opcode Fuzzy Hash: a9f5bf7c3c2698cabd7921a63a822dae385af47e6d2c8351edf17627a41cb1f1
Instruction Fuzzy Hash: 1251DE71A04515EFDB54DF58C484A6AFBF2FF84310F1981A9E8069B346DBB1EE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0175B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 017A2C8A
HEAP[%wZ]: , xrefs: 017A2C72
HEAP: , xrefs: 017A2C7F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: f55aabd7e3e5609b269103c041cb4edb6ee36ca63ca55058234ee2c09ff3b270
Instruction ID: 09810c598cff338fa71a5d97d5a2d3b4e952972e6de11a9029e28e920082715d
Opcode Fuzzy Hash: f55aabd7e3e5609b269103c041cb4edb6ee36ca63ca55058234ee2c09ff3b270
Instruction Fuzzy Hash: D811E631354102DFD769DB19C498B36F7B7EF90620F1481AEE806CB246D7B0E941C781

Uniqueness

Uniqueness Score: -1.00%

Function 017FE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 017FE670
`, xrefs: 017FE5D7

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 0740cdbb995cab34f0e53a99819eeef9d8d997156b215ec6b14116439eff0f5d
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 0B915E312043429BE725CE29C845B1BFBE5AF84714F15892DF795CB394EB74E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01736F60, Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

TargetPath, xrefs: 01792151, 01792156
@, xrefs: 0179211F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @$TargetPath
API String ID: 0-4164548946
Opcode ID: e9c00ecf73f90a6090957e732035af5967dea05d85658d8dfe18babddcb4f343
Instruction ID: 9e201a8009d10e7256487a12bc91432f73102b0e7d4bba0076b37a74f025b134
Opcode Fuzzy Hash: e9c00ecf73f90a6090957e732035af5967dea05d85658d8dfe18babddcb4f343
Instruction Fuzzy Hash: D681F2B6908316AFDB25EF28D884A6BFBA4FB84314F05456DFE4597212E331DC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017B51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 017B521D
Legacy, xrefs: 017B5226

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
Instruction ID: 987a4dd388b623d827758810d01e16c851817a02aeb56e3b161a3af61a70524a
Opcode Fuzzy Hash: 0b335bfae2ed7f5992b64ac01c42aa55097abf0510e4acf8fbc8cbf95efe5b61
Instruction Fuzzy Hash: C35169B1A456099FDB25DFA8C880BEEFBF8FB48704F14406DE609EB251DB719941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01734439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Flst, xrefs: 01734476
0, xrefs: 017344A3

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: ff2e5e46e0b6e20646524a062c3fa2a56199044ada2b2588038ec74656c88034
Instruction ID: b2276ecfa73cdbb32201a15075538575aebf1059ad43dfc04aa35a3748f4fefe
Opcode Fuzzy Hash: ff2e5e46e0b6e20646524a062c3fa2a56199044ada2b2588038ec74656c88034
Instruction Fuzzy Hash: 3B4179B1A00648CFDB29CF99D584BADFBF9EF84314F14802AD14A9B646D7719986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0176D4B0, Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 017AB0B2
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 017AB0B7

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: b01418266d087ab3382b55230e0bd8f4819bacdf0e479543a576e64017912db0
Instruction ID: 28ab8e80c7eea96c98fe1867672c8d6b48855cae4a01ca753e4148e6a3e5e268
Opcode Fuzzy Hash: b01418266d087ab3382b55230e0bd8f4819bacdf0e479543a576e64017912db0
Instruction Fuzzy Hash: 56110672B50214BBF7248A8DDD41FABFAADDBD4B10F14806DBE049B244E671DD0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 017DEB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

@, xrefs: 017DF10A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 33eca9ad8aa3b88da7958a5abbc8896f635d044f791d39e7e79f215732dd1c21
Instruction ID: 1c97a820b9c2dd0ce5e70addb4daa0d68447010785e9120b79aa4dd2f0182c2d
Opcode Fuzzy Hash: 33eca9ad8aa3b88da7958a5abbc8896f635d044f791d39e7e79f215732dd1c21
Instruction Fuzzy Hash: F032E6742046599BE726CF2DC490772FBF1BF45304F08849AE986CF286DB35E496DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0175B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0175B9A5

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
Instruction ID: 2a74dec0e982dd4f5065e1a3f178642d08ce6a33d6d8a91ab6936bfeb7b23554
Opcode Fuzzy Hash: 9b5b18fb06fc99bf4def84c7e2071232cd49a3d10253c7faa725bf4f3632a49b
Instruction Fuzzy Hash: CA515771A08341CFC761CF68C48492AFBF6FB88610F54896EFA8587359D7B0E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017665A0, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

S%, xrefs: 017667FE, 01766818, 01766822, 01766834, 017A7D34, 017A7DA2, 017A7DB0, 017A7E21

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: S%
API String ID: 0-316243014
Opcode ID: 9b4be4707b4cdde4d0deece1a5744d41d21c8904da408dd7cff8b4d955a3ca60
Instruction ID: 1dc6228a023ecc4c1f4b761d5a514abfeed30750d9d5a33b520dc0b9d7bfae43
Opcode Fuzzy Hash: 9b4be4707b4cdde4d0deece1a5744d41d21c8904da408dd7cff8b4d955a3ca60
Instruction Fuzzy Hash: DEE193B5A00206CFDB18CF59C490AA9FBF5FF88310F548169E955EB395D734EA81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01762581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01762642, 01762691

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
Instruction ID: 03d357e5aa6c5c6402f02df7a2fcf14a97e0051d8816305002376e01b5852c9b
Opcode Fuzzy Hash: d160cdb94162fe9098f82d0b14f3e7f858d077709b5b466ca28b19c602d4ca8b
Instruction Fuzzy Hash: 89C1AE71E00219DBDB65DFA9D880BADFBB9FF48700F448029EA01BB255D738A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0176FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 017ABE0F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
Instruction ID: d3b6a75d3459f13d9bc8c6a78d1975422957f03960541ff1a06fca7650bc54d9
Opcode Fuzzy Hash: c11657752c114a0b271c0315cef9e618cdb63a57bf0ab4599f311e5f69620604
Instruction Fuzzy Hash: 76A12731B006068BEB26CF6DD46477AF7A9BF88710F04466AEE16CB685DB30D841CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01732D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0178FA4A

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
Instruction ID: f1a45e618574e515110a7a0a676e0abaedd83a8259b47e69e37236aa2cf261e3
Opcode Fuzzy Hash: 7be01d57229187ad6a76d2e8a3ca19476bab5a1f7cb5defd3a3c1f3f14bc9dc8
Instruction Fuzzy Hash: DC614931A80605AFDB32EF6CC848B7EFBA5EB89720F140299D911972C3C7749A40C792

Uniqueness

Uniqueness Score: -1.00%

Function 017C5F5F, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 017C6017

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f01aa9c5d7505036a5332c028e8c9018f26f72483e3ba049823e414153cadd42
Instruction ID: 794f54461103497d9a69acf373ce576b555f85468ac8c05119c66511ecfc4ace
Opcode Fuzzy Hash: f01aa9c5d7505036a5332c028e8c9018f26f72483e3ba049823e414153cadd42
Instruction Fuzzy Hash: B7519C72604746AFE7219F18C984F6BFBF8FB94B10F00092DBA4097290E7B5E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0176F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0176F124

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 3f4fa881d529af272c795c4c953397c39a414e0de4cc9fbbb8fdb96a1bebc4d3
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4A516A715057119BC320DF29C840A6BFBF8FF88750F008A29FA9687690E7B4E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017B3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 017B358F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
Instruction ID: 4f99cf09917ad69c0e9c5bc25ee789d000d849e6f1af52a65525d4806a91a753
Opcode Fuzzy Hash: e0c6f27b89089bf2548a3f387f79c75bfc305838fb53dc2df21fde3c2be92b4f
Instruction Fuzzy Hash: 9A4142B1D0152DABDF21DA50CC84FEEF77CAB44718F1045A5EB09AB240DB309E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 018005AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01800633

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 533f999664bf30a4dbaea685daa1f93af2fa9ea76e2b001e5b29a3fd1dcd7eb1
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 8131043260434A6BE751DE28CC44F97BBDAEBC4794F144229FA59DB2C0D770EA04C791

Uniqueness

Uniqueness Score: -1.00%

Function 01764020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017640E8

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: 300d43ff7108047c517ae17a7b30999a2499df731d469410c8b72a74ecc4f2ff
Instruction ID: 24cbf918982ab3fb0bf784026f9e879a711b05599bf3ace90234dbe83ca42fc9
Opcode Fuzzy Hash: 300d43ff7108047c517ae17a7b30999a2499df731d469410c8b72a74ecc4f2ff
Instruction Fuzzy Hash: 7B415375A0074ADBDB29DFB8C4416EAF7F8EF59300F00496EDAAAC7640E334A545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017B3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 017B38B4

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
Instruction ID: 4a69a86f808a3aab3a3f6ff06b2795fd867190167ac21bfa2a6587c987ae8bc8
Opcode Fuzzy Hash: e38941842c79dff3ae6eb6805109d2a4c98763f56fa3b67dfcb5c544038ce145
Instruction Fuzzy Hash: 5131E33290161ABFEB15DA5CC985FABFB74FB80B24F124169E915A7250D7309E80C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0176D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0176D303

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
Instruction ID: 173a1cb405d1c10249abf62e5897b1b9145fe93137489e70d42c1ea6c5be39e3
Opcode Fuzzy Hash: 50d2999da79d5ba97ead383cce5d0d1162c33d808075b2c344eaf7d57c76a438
Instruction Fuzzy Hash: B331ADB2618305DFC721DF69C98496BFBECEB89654F00092EF9D583250E634DD08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01741B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01741BC5

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 5a0c5af2491a966f86f5e2ffbd36618415e92fd25f239223d1f7400d5c0ca6b8
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7D21073A900229ABDF22EA5DDC44F6BFBADEF41650F454465FE048B200E730EC50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017E8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 017E8E21

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
Instruction ID: 88ae31e2eb68994817b49e7e31ea05353d95334b08ddedcb616ef67929d824b6
Opcode Fuzzy Hash: 2249dd587e1754d22fc79fce102a5a9d08662ea174fc3e2e107635b0bfc8eed1
Instruction Fuzzy Hash: CD1123B1D55348DADB29DFA8C909B9CFBF0AB18714F24426EE569AB282C2740602CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01805BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
Instruction ID: 330e8f15d84c87f4f2e520ea09b5d50385cd9eb4da833a75bb47520fb4c4209d
Opcode Fuzzy Hash: e71bf1d1e2e2abb5fb86f0daade9baf6f69b9dbb61087ff218eb3f04cfea9f05
Instruction Fuzzy Hash: B6425C75900229CFDB65CF68CC80BA9BBB1FF45304F1581AAD94DEB282E7349A95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01754120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
Instruction ID: 21e4d98f1f781319e117b6b1c178d76f6c555c9a4f77ea7a497be37a3c7fc03f
Opcode Fuzzy Hash: 32548e2968b7b21aabf5e1efb254ddf75bd97b35f3aec7fde8d959a44d3e91ab
Instruction Fuzzy Hash: 93F19C706082118FCB64CF18C484A7AFBE1FF88754F14496EF98ACB291EB74D985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017620A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
Instruction ID: 76c3b8561ea9b8608579469515b5c70372a931b49d3aa5f5a5055e1b9f6aae64
Opcode Fuzzy Hash: 747fa1eadc8878f6df42c0729c42c257524739ee22ccf8ac88259512944f0dd2
Instruction Fuzzy Hash: 27F1C135A083419FDB66CF2CC84476AFBE9AFC5324F09865DED959B282D734D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01736800, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dee6bcb4cb8ab01004bccf423b5cb4b66faef6a1219afbe22a3b9222e37a6f
Instruction ID: 7d3b841af260aa5b694cc734df44a8d820182a1552f7eb6a3d27e7747d15205a
Opcode Fuzzy Hash: 09dee6bcb4cb8ab01004bccf423b5cb4b66faef6a1219afbe22a3b9222e37a6f
Instruction Fuzzy Hash: C4D1D271A00216ABCB18CF68C890AFAF7B5EF98314F14416DF916DB281E734EA55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0174D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
Instruction ID: d74f0309c79f7474d4e1f6ee19f6091e4471948c9baf7f03f80e260777580ce7
Opcode Fuzzy Hash: 36becccf5b64c0dd51d787596966f98300a60ebd287561bab7b2e57bc766da0e
Instruction Fuzzy Hash: 46E1DE30A0035ACFEB32CF68D884BA9F7B6BF56304F0441D9D94997291D774AA85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 01733ACA, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1c05bf1f5aac223eb0adbc107fa2685f8011a9a768bec16b84b9dd54217e73
Instruction ID: 0c8dcf7c414813c0d064314f6f6790a86ae25245eff78f5318ed6227fe6e4c72
Opcode Fuzzy Hash: 1b1c05bf1f5aac223eb0adbc107fa2685f8011a9a768bec16b84b9dd54217e73
Instruction Fuzzy Hash: D1E1F171D00618DFDF25CFA9C988AADFBF5BF88300F14456AE946A7266D730A981CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0175B236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 94d87506c3890eb87d5914797244cd8545d09837d4c5ee6cb77323d25446fedb
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: B5B1E331B046069FDB65CBA9C894B7EFBF6EF88200F544269EA41D7386D7B0DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0174849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
Instruction ID: 6b8f1068f71d154bc2d7adfa9aa0d569f6c7704b36d00655ba30f09cd52fc404
Opcode Fuzzy Hash: a84e149922692a3d51df814dab840c9bc0bd7e493600f22ab26155e0523c8112
Instruction Fuzzy Hash: A7B15A70E00209DFDF25DFE9C984AADFBB9FF58304F10412AE605AB24AD774A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0176513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
Instruction ID: ae7be00edb6736973086db3f6be9f34e3296aeacf23a13ff2ba614ec43659b5f
Opcode Fuzzy Hash: a3564f446fd4fdd4e354222e0b686704543b3be3285c1846148f314ba0131ecc
Instruction Fuzzy Hash: 56C122B55083818FD354CF28C480A5AFBF1BF88304F584A6EF9998B352D771E985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 017603E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
Instruction ID: c954522c5a45876fbdaf8b66a0f9d1954abca2ed9fb7728b43ef560326f1f441
Opcode Fuzzy Hash: d56ada58a33d341033a675deb77cff955cf7534da36ac3f4ae5e43c8b0ed48ee
Instruction Fuzzy Hash: EE91E631E00215ABEB369B6CC848BADFFA8AB45724F590365FE12A72D1D7B49D40C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 0176DA88, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457519b62c0d205f6682375cf9b11a7ec9322ba76765286e924d3177ee33cead
Instruction ID: ea67cf5c3ca5ae3032503f8c40d5828c3d0a314815df10fc1abfe68480d8ca48
Opcode Fuzzy Hash: 457519b62c0d205f6682375cf9b11a7ec9322ba76765286e924d3177ee33cead
Instruction Fuzzy Hash: DAA19D74A14209CFDF36CF98C4807A9FBA8BF48344F648599DC559B29AD371D982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01735AC0, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aeceab8095c121ce5fefe72aeda7405abfebd92f395a960a1f10a7bc1f657dc
Instruction ID: d14d90a413d0d60f03b0a2b54729fdc46d293a1d95caf668475a165f5c30e612
Opcode Fuzzy Hash: 2aeceab8095c121ce5fefe72aeda7405abfebd92f395a960a1f10a7bc1f657dc
Instruction Fuzzy Hash: 8381F5B1A0021A9BDF249B28DC40BEAF7B8EB44314F4441F9DA05E3281E774DED5CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0176138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 6271b4de1ffc453f377b927be2f0483dad6a81a286f68400352313ff6275b99d
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: E3817D75A007459FCB25CF68C444AAAFBF9FF88310F54866AE996C7751D330EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017CB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
Instruction ID: ae9aaf2c453ae005574db073613589eb4216e1a4dd1f6e62774376d5b80525ad
Opcode Fuzzy Hash: 11efe43baf6efa60074e6a277eacea78942a3dcf9091dfdb87c624565cd597b6
Instruction Fuzzy Hash: 5771DF32240702EFEB328F28C846F5AFBA5EB44BA1F14452CF655876A0DB75EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: c768c3ebd98ad010967ed685e01089c8e806376bc3954d749bfac7a9d4279889
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 1E715E71A00219EFDB14DFA9C984FEEFBB9FF48710F104469EA05A7294D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0174F370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698b84707d97482f467bd7da402d18dd1a34bd5de5bba1b2fec2fb78c443624e
Instruction ID: d01b57b63e180fded7199213f9a38ce2f0bed5ac788187fb3a4cb627d3b8f682
Opcode Fuzzy Hash: 698b84707d97482f467bd7da402d18dd1a34bd5de5bba1b2fec2fb78c443624e
Instruction Fuzzy Hash: 4561EF36A042558BCB26CF6CC4806BAFBB1EF85310F1980A9EC55DB385DB34D946CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0173395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57366b3b1c140efeb1b866e2761fdbdfca95384a170d264967c366f0b878de2
Instruction ID: 2a5a2eafbc62248405058caac550db319995a4a3a325fa77ea4b608413c7fbda
Opcode Fuzzy Hash: a57366b3b1c140efeb1b866e2761fdbdfca95384a170d264967c366f0b878de2
Instruction Fuzzy Hash: 6E51BF71A00701DFDB31DF69C888A2AF7E8FB95309F00482DE54687616DB74EA49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0173B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
Instruction ID: 1b26aff647abe7cc315bcd2716ab930288204801cac0d8a805b94d6f25666822
Opcode Fuzzy Hash: 161aabed350bbe58c002f4f310d93306829025ca2ef7860368a0537b39af7428
Instruction Fuzzy Hash: 1B51D071D002598EEF31CF68DA45BBEFBB0BF04724F1041ADD85AAB286D774494ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 017695EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe2537c1a9222b9a722268588e76fbdc7c9487615a58e1b006cfcc6b452f997
Instruction ID: ea62f6f8f4f0fd22dc8dda8bf4749a91d61f6c6f16cb3ea7acd0118c6e84ed25
Opcode Fuzzy Hash: 1fe2537c1a9222b9a722268588e76fbdc7c9487615a58e1b006cfcc6b452f997
Instruction Fuzzy Hash: C651A071A0060AEFDB16DF68C848BBEFBB8BF54319F104169DA1297290DB749921CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017FB581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37d184c4107bccdfa52a75f1458519d3e91bb5028dd7807bab071026b186e38
Instruction ID: cab9a6c6ae100ad818d8d59a2595926e151c326dc56192cafbe75a42c387b5ac
Opcode Fuzzy Hash: c37d184c4107bccdfa52a75f1458519d3e91bb5028dd7807bab071026b186e38
Instruction Fuzzy Hash: FE51FE326047428BE315DF28C998B6BFBE0BF90314F18456DEB558B391EB35E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017352A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
Instruction ID: 834dcc01c79a62af1c9cf463573ede1694ee79735b12c47961615e1ce32f1af2
Opcode Fuzzy Hash: b53e426a8c5dc3787d8cd6afa652162d95031f6d8c553b6f7d312128c5347770
Instruction Fuzzy Hash: 02510070205742ABDB22EF68C844B27FBE8FFA4720F10091EF59583652E774E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01762AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
Instruction ID: 99d11dd2d82b388fd749dad48a69216a1f532d8a2ae2a3df03d84b2e016dbffc
Opcode Fuzzy Hash: 9798d71f7a172d7fed8cba3af5598670d43a7bedd5ccc40cd62b86745e2f3b28
Instruction Fuzzy Hash: 7451AE76B00115CBCB65CF1CC8909BDF7B5FB89700719845AEC4AAB326E730AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01763C3E, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8d24bcaad32eb8c62efd814278e7a33c849697f31d6de19b608137093b2c24
Instruction ID: ece88e190cce9db076b7dc9bb82e241e226f93f648bd976f58de943f311df71f
Opcode Fuzzy Hash: 0f8d24bcaad32eb8c62efd814278e7a33c849697f31d6de19b608137093b2c24
Instruction Fuzzy Hash: A0516B716083419FC701DF29C888A6AFBE8FF98224F14496DFD99C7285D770D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0175DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
Instruction ID: 7660e02286233838ef0ebdf3dd40399433d16a115ed8f70426610fbd1039d7bb
Opcode Fuzzy Hash: 7c1e76ae0c6b538662a51c756ea9b6e15b28f6ec4d2d98f4a9cc8730692b8a60
Instruction Fuzzy Hash: 7F51B271E01616CFCB65CFACC490AAEFBF1BF49310F20815AD955A7345DBB1A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0174EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 1a8510cca2bf8a2ab48274e470d018bc218dfed964bee88d053a52196acf372b
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 06512230E04249DFEB21CB6CC1C4BAEFBF1BF85324F1881A8C54593292C779A989C791

Uniqueness

Uniqueness Score: -1.00%

Function 0180740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: af2d3c69aa5cf9aa9b08d72b30c349577dddc97ff7b118bbe4786bb68734705b
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: EA51A07150064ADFDB56CF18C880A95FBB5FF45304F15C1AAE908DF256E372EA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01774D51, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction ID: f65f155a52ef27e0bca3679a49ee137dc36cab115a71cdcfa6a9a55ebfde75ca
Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction Fuzzy Hash: 57516835A04615CFCB15CF88C480AADF7B5FF88724F2486A9D966E7391D770AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01762990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
Instruction ID: 51d2877feb6ca23401bac5daeb532e40f20dfbfbfd836ebca09ec84abee1fa0c
Opcode Fuzzy Hash: 2b77e400ca20ad3e20600982faa6dc12865f4bebe5785c4d0b364edde470de11
Instruction Fuzzy Hash: 1B516A71A0020AEFDF65DF59C880AEEFBB9BF48310F108155ED00AB266C7759A52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01735050, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a93475005052eac89fa8658f8f266d09e6ac6ec6cdc2a098d7805f9cf939828
Instruction ID: b5680bc29159bf8de4be55b7e37d59ce7832ac520e0ee8a540585e0dd201fca7
Opcode Fuzzy Hash: 0a93475005052eac89fa8658f8f266d09e6ac6ec6cdc2a098d7805f9cf939828
Instruction Fuzzy Hash: 914125362043529BC720EF28D880B6AFBA8EF95710F104929FD959B392E770DC45C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 01764BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
Instruction ID: 2ca36d23e53a1df0dd5943df778d1a7e8a126a339fbe133da73379d572425571
Opcode Fuzzy Hash: c343729f18a3003ab6e983762913a9167ebca7e80579680d1e0feb20dc6520d5
Instruction Fuzzy Hash: 0941B235A00229DBDB21DF68C944BEAFBB8EF45700F4501A5E909AB345EB749E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01764D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
Instruction ID: 1b660831490b774b0948c37ac53c1e46078e7198dfb27ddbd0a60a3fad175be5
Opcode Fuzzy Hash: 798f1485d3ee0a797480722358a8cc62b94093c3917d675ab824b3e5d167f618
Instruction Fuzzy Hash: 2641F871A403189FEB32DF18CC84FA6F7A9EB55710F04409AED4697285D774ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175F86D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623b9ae47f32c4b9484fdcecbe2eb17d689ba94fc82bcb46a82109591dcc45cb
Instruction ID: 5a804e3f58b8e5502c792439dac9a0b6accb38f44d2e20c78851c785d2a3bc6d
Opcode Fuzzy Hash: 623b9ae47f32c4b9484fdcecbe2eb17d689ba94fc82bcb46a82109591dcc45cb
Instruction Fuzzy Hash: 1B41E2B1A00606AFEFA29FACC844BAEFBB5BF98710F140119ED41E7251D7B599408B91

Uniqueness

Uniqueness Score: -1.00%

Function 017C6365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: df24e0022ea6314b622d8eb34cab9869168f9887a5197da4ccad4d31d507342d
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: FF418F76600105EBDB259F6CC895BAFBB6AEB44B10F1940ACFA069B351D771DE02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01731AA0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction ID: db4a87b71a43352c2f2a316e4865c83116bf571c3d2e2153150e29d7d4a268df
Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction Fuzzy Hash: 0B415F71A00605EFDB24CF99C980AAAFBF8FF48310F5085ADE556D7651E730EA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0173649B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81082e7344586eea1b3de63ba57ce518de1bbbb123d1b67c281f457ce413708d
Instruction ID: d132bf36d247dc6a318643164954fcd820617f3baea00b6d8594e0c2c5b9ce7a
Opcode Fuzzy Hash: 81082e7344586eea1b3de63ba57ce518de1bbbb123d1b67c281f457ce413708d
Instruction Fuzzy Hash: 79418D32508346AFD712DF64D840A6BF7E9FF84A64F50092AF980D7255E730DE198B93

Uniqueness

Uniqueness Score: -1.00%

Function 01740100, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38afcf6a2865a9d80b6e82a91fd5cc6c577c7e17f226dc49bf97c623b9a7f01
Instruction ID: 218802dea48b351c4b528407fa9e3b9a9cb6fc3c0348fea1f76a6861db361fee
Opcode Fuzzy Hash: c38afcf6a2865a9d80b6e82a91fd5cc6c577c7e17f226dc49bf97c623b9a7f01
Instruction Fuzzy Hash: F141DD71985209CFDF62DF68D8807EEFBB1BF18354F144255EA11AB296E3359A80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017FAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: b0e7d171f9157fc153e5fc67c44f0313cfc4daa949e3ef2af1508dba80a27be2
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: B231D332F002496BEB158B69C845FAFFBBBEF84210F05846DEA09A7351DA74DD44C750

Uniqueness

Uniqueness Score: -1.00%

Function 01748A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
Instruction ID: e09062b8645d664fc3b05e996673024dbf182de71fb5d1919ea2c64d4999c95e
Opcode Fuzzy Hash: b027f1d00320c889c2c86aa18205a6c47e9a57b65d41b59b77cf98e22793412e
Instruction Fuzzy Hash: 7A4170B4A0022D9FDB24DF99CC88AA9F7F8FB54300F1046EAD91997242E7709E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017FFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 1e4b77e95e613414a1653ca5e617dc3ca8e89f98cbf01deaea9c4de8deeb541c
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 7631D333204645AFD7269B6CC848F6BFBE9EF89750F18415CEA468B346DE74D841C750

Uniqueness

Uniqueness Score: -1.00%

Function 017FEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 34d0417bd19d0079c26c9e1e6528c18244dba42cbb8a63518a913eebc18381e4
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 7B31D2326047069BC719DF28C884E6BF7EAFBC4210F05492DFA5687755DE30E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174B433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: 1a8240a21611785c39fe8f3b1cd745053d32fb748413146977c6f9abae77187c
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: 13410432605645AFDB22CBACCC84BDAFBB9AF14350F0485A6E45597352C774DD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017B69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
Instruction ID: 57acb825b6da0dc21b378832ded884addba32556681e4942bfbd778a667fcb54
Opcode Fuzzy Hash: b1523628c998715027ffc34d7124924b1869a9d001b13757eb3aa6bd2602e0cf
Instruction Fuzzy Hash: 8A418DB1D01209AFDB21DFA9D980BFEFBF4EF48714F14812AEA14A3244DB709A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01735210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
Instruction ID: f4e1eb98b661c8a55ffa1e231b8c62733ec5bdc81b81d2d9882f32a0c4ee112b
Opcode Fuzzy Hash: 2b7520e0195ab3b3cb73db225e8482c19a13039b6edee7626465f27a1c0dd69c
Instruction Fuzzy Hash: 81315931255611EBCB229B1CD884F2AFB79FF60730F114629F9154B296DB70E940C790

Uniqueness

Uniqueness Score: -1.00%

Function 01773D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
Instruction ID: 5225794f4040d58309c3e3c93d5f50415844d547ca328ce8a2d0fc1de0835e0d
Opcode Fuzzy Hash: d5010fd11e4fe6699d891864db84aed8a24a7d045b1c2e86de8563ff3c0077a6
Instruction Fuzzy Hash: 9C31BE71604615DBDB298F2DC841A7AFBE5FF99700B0584AEE946CB350EB70D880E791

Uniqueness

Uniqueness Score: -1.00%

Function 0175C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: dbf3fd7bb83d02b978e90bf3e34c2f2af793a2a09c9c9715a40ceff12a0a163e
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: EC316B71A05687BFD746EBB8C480BF9FB58BF52244F04415AC91C87206DBB45A45C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 017B7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
Instruction ID: 81a11f45afb8e7e164595554f64a5354dff6debeef0156a9f71f7d9f6bae4c77
Opcode Fuzzy Hash: 38003e245f505ed38eff2331ad504117a1bca47e0590878abe170962b584091b
Instruction Fuzzy Hash: D531B1726047559BC324DF28C884BAAF7E9FFC8700F044A29F99587694E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 017653C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452772c650bc80318162789976ccae56e8fc21a6341bbe858c7c0f1dc8621bb6
Instruction ID: 5d1b69f26338167b7cf6b5940784a616c5a0b4a9945897bef068d9688210df31
Opcode Fuzzy Hash: 452772c650bc80318162789976ccae56e8fc21a6341bbe858c7c0f1dc8621bb6
Instruction Fuzzy Hash: 4F412230A007458FDB369FB8C4143AFFAE2BF91300F54466EC48AA7341DB364905DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 017E3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b0f4318f25b1ce271df87be8077206c3dc962267371f272e9ae83e4f076180
Instruction ID: 06c5334437fa84aa1596ab33e78a7a032a9764d8352e3f0101d75575a5f3fba5
Opcode Fuzzy Hash: 35b0f4318f25b1ce271df87be8077206c3dc962267371f272e9ae83e4f076180
Instruction Fuzzy Hash: 6C318871509312CFCB21DF18C48985AFBE1FF89714F04896EE8888B245D730DA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01733880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a389f77e9c8ed3102d7a250c8f7dd6a74c96785e783148c2eb6812c330c9a5ec
Instruction ID: 3024bd7f9f62b414287c7918720f90ced00bac8cb360f135b7ff52997f5871fd
Opcode Fuzzy Hash: a389f77e9c8ed3102d7a250c8f7dd6a74c96785e783148c2eb6812c330c9a5ec
Instruction Fuzzy Hash: 6831BE32E40219EFDB31DEA9C844AAEFBF8FF48350F01456AE915E7255D6709A008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017FA189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74973391e5bcb73d75007052b0cf8b4f70e6ef53cd1307f9b227c9a51815f680
Instruction ID: 1d8544ca1b014fefba1b34893ec52256f726f6aea22dc3e6ba46a2a72a1d043f
Opcode Fuzzy Hash: 74973391e5bcb73d75007052b0cf8b4f70e6ef53cd1307f9b227c9a51815f680
Instruction Fuzzy Hash: EA31F635B44216EBDB229F99D840B6FFBB8EF85710F11406DEA19DB345EA71DE008B90

Uniqueness

Uniqueness Score: -1.00%

Function 017661A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
Instruction ID: 91a49fb221f63433f29db785f700f96e77cf2df03771879693c60dfd629d52ea
Opcode Fuzzy Hash: d4647e8ff3b4c98a4841a69314810a71c9d13588ccef52c272c855b39b01263c
Instruction Fuzzy Hash: 21316D716053018FE364CF1DC900B26FBE8FB88B00F85496DFA9497251D771D844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0173AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
Instruction ID: c172aa7b7a83e3f453e8dd9d5aa2755188b81e44c135de8386bc5c87a2f392b5
Opcode Fuzzy Hash: 2b233618da2ff11f67d5d95d99e8bd559a1beda6d81137f56a4e847bddf11b98
Instruction Fuzzy Hash: 9231D772A00119EBCF159F68CD41A7FF7B8EF54700F014469F901DB154E7759A11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01774A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
Instruction ID: 2da737b622d10fc7acef3b14bd7fc161c96edc63e472c46613a67d059e90026d
Opcode Fuzzy Hash: 358a09483a93221c9f182f86bc6aaf07aad0f95bb86f2fa9bc5d1950381b48a2
Instruction Fuzzy Hash: 903102322057119BCF32EF58C988B2AFBE4FFC1710F424569E85647255CB70DA40CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0176BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
Instruction ID: 9821613bca001d05307d50fff6aed1eea652281a2cc3d0ee1f2f3ea107b02cdd
Opcode Fuzzy Hash: eb155c6482573b0f61a4e4030b7b7d9877cb83d6d8ec7a0a3cdec943ff43bb40
Instruction Fuzzy Hash: 6A31F7366006559BCB22DF58C4807A6B7B8FF25310F244075DE45DF24AFB74DA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01739100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
Instruction ID: 111301233e60f676a81678e697f9d33da28f1b1361eed157911d5f02cdb557ca
Opcode Fuzzy Hash: 5fa2f99bf507ac0e140803a1b6ba68f405804ca42ba4c1ab6efd406b71428cb6
Instruction Fuzzy Hash: 70319F75A05645DFEB76DB6CC488BACFBF1BB89318F148149C60477282C3B5AA80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0176F527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 375d75ba49f0b0de8e617d999e4fea050d101a9787b37614dfac0bfb20bb8c87
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: D4318732601648EFDB21CF68C894F6AB7B8FF84314F2005A9E9158B695EB70EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01761DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 953692d9161c92d3fe9bc7162218f207ff7c696503c580e07d8142451f342372
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 89217C72640119EBD721CF99CC88EAAFBBDEF89642F514095EA0597220D674EE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01758D76, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bbb4f56a7105b7c4cc3c5dc29ca5432f6a1fc63b2212a894eaaa899304cc15
Instruction ID: 1382306e51d4cc32dffb159fcda6f4ad3c5e486bbbf2ea6afef7995a64ada90f
Opcode Fuzzy Hash: f1bbb4f56a7105b7c4cc3c5dc29ca5432f6a1fc63b2212a894eaaa899304cc15
Instruction Fuzzy Hash: EC21DD39201A80CFE3A6CB2EC494B76F7E4EB59704F184896ED828B651D7B8D8C1C721

Uniqueness

Uniqueness Score: -1.00%

Function 01750050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
Instruction ID: a7b97ef962dc65b205181a95dec00eb2186b4c70e495b4cdf351bd4ac9ea62af
Opcode Fuzzy Hash: bdef9b0a9080064d69eec78b73468096923797aea83050c85ef4c4429ac8bc6a
Instruction Fuzzy Hash: 4B318D31601B04CFDB62CF2CC844B9AF7E5FF89714F14856DE99A87A90EB75A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017B6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
Instruction ID: f327198102a2f6439af22b6ad1f8cd522f8919025b3dbbe836c7b2ff73d3c1ff
Opcode Fuzzy Hash: 35f9020177b1160dd0bdb4f1c041bff8920a6a47f76082e12872461df6cada86
Instruction Fuzzy Hash: 482197B2A00645ABD715DB68D884F6AB7B8FF48700F1400A9FA09CB791E734E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0180F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d45242e49f73abc82de35ca241ca9fe68258055cebdeee4ea9971d16ac1d17
Instruction ID: 5656a44130198bc747abb53290c8fbcb2fcc882ccf90698b8bb67de8ae3f2ca7
Opcode Fuzzy Hash: b2d45242e49f73abc82de35ca241ca9fe68258055cebdeee4ea9971d16ac1d17
Instruction Fuzzy Hash: B921CF3AA00619ABDB728F49DC84F5ABBB4FF45710F028065EE04DB294D330AE00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01734A20, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df8d89b6a93cb17a102059f1e0affe231a120b447a8b740b97eeb29548b1066
Instruction ID: 2f606e16a0246ba59d57bc3262c36c325f4c005f02f6eeed048ad5bb4f6946f0
Opcode Fuzzy Hash: 2df8d89b6a93cb17a102059f1e0affe231a120b447a8b740b97eeb29548b1066
Instruction Fuzzy Hash: D6212731200A01DFCF3B9A28DC08B27F7A9EB90324F104759E957865E7E634AB46CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 017790AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 64de42e84a4bc64c4a1e42d77b03a7e5b13ce00946dce5d835b7be7505fcd9f6
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: CF219571A01305EFDB21DF59D844E9AFBF8EB54324F14886AEA4997211D370ED50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01763B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
Instruction ID: 3572cbc6d2ee93a5eb24a3761d85219e81dd53b572d30677cc2c5972cebc6f81
Opcode Fuzzy Hash: 6ff99f0883188a3db066092dca767eda0f03da9f3651115ea0f47e8e19bec33d
Instruction Fuzzy Hash: 86218E72A00109AFDB15DF58CD81B6ABBBDFB44708F194068EA09AB251D371AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01734B94, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction ID: 1931044135c41052531bdd53d6bbf0139b1c24c3336c9204bf11164c2ea9556a
Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction Fuzzy Hash: 1031AD71900625DFD72CCF69C480679F7F4FF88614F1486AAC86A97662E770A940CB41

Uniqueness

Uniqueness Score: -1.00%

Function 017B6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
Instruction ID: 2590a9b29965aab5af0c51b8f08830b1906accb298e2f6115fa0fe6e0c461995
Opcode Fuzzy Hash: 47e9b3d13a8e66b92857cfd7729d3ed2cc11c10ee1f8db4cc58f51c305c614dc
Instruction Fuzzy Hash: 9121D4725047459BDB11DF2DC988BABFBECEF91640F040966FE40C7251EB34D988C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 017428AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e63ceffce4d6205902002dce5806e93ac3c295821b27a4842ef944d7312963
Instruction ID: 23f380b11f7e64a6231fedc004c6bfe0ff035bc8824f6b3b5906b90c2ac872fb
Opcode Fuzzy Hash: c1e63ceffce4d6205902002dce5806e93ac3c295821b27a4842ef944d7312963
Instruction Fuzzy Hash: C02129326557819BF726576C9C48B28BB98AB41774F1903A1FA309B6E3DB689840C610

Uniqueness

Uniqueness Score: -1.00%

Function 0173519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59dd92b68bed5daa6b692ab360420c57defccb7a56201d8f6270ef572e1e4c5
Instruction ID: ce1edfe9be25f0d015aba75a718014cf062dae9a057f4701c43b11e6930d6cb6
Opcode Fuzzy Hash: d59dd92b68bed5daa6b692ab360420c57defccb7a56201d8f6270ef572e1e4c5
Instruction Fuzzy Hash: 7E11E175901311ABCB309B68C440AEAFBF9AF65720F14066AF94697781EA35C945C650

Uniqueness

Uniqueness Score: -1.00%

Function 017312D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: c49516d57dd4be9ba4ff9df316a00e841511be00464fb3cec2127a87ede2207a
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: 9911E272600609EFE7229F58D844FAAFBA8EB85750F104029EA058B541DA71EE44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0176FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 29b40f8b322d316c55d8ba3c2f1d9c8ac8dd6fc2a6596ae7fb417c6f2b3b8bd4
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 9B21AC72640A40DBD735CF0DE960A66FBE9EBA8B10F24816EE9458B615D730AC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017612BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182328409c53df7be0a5fb6ae81ff6e41efcfb36604afaa8424f883111292941
Instruction ID: 440a6f58edbf1dfb16f2de62166d88c5861969b691d7ecf0f007a7107034034b
Opcode Fuzzy Hash: 182328409c53df7be0a5fb6ae81ff6e41efcfb36604afaa8424f883111292941
Instruction Fuzzy Hash: 5D215871600600DFD735CF29C885B6AB7E9FB84250F51886DE99BC7611DA70A840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01775A69, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583ee738041d656097c0a92ac462ecc68a4402d5f171726119610335b110c7ba
Instruction ID: 217797aa81afa51003098f9b6ff09664e91ec470fe364dcfeddc6edbc05e566d
Opcode Fuzzy Hash: 583ee738041d656097c0a92ac462ecc68a4402d5f171726119610335b110c7ba
Instruction Fuzzy Hash: E21103792427518FE725AB3CC0E0B75FBE4EB42714F4945AAE88287741D369DD80C750

Uniqueness

Uniqueness Score: -1.00%

Function 0176B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
Instruction ID: 10b2357e9c4b5ee879d98ff6fab3a6994af904809534c739de93c3a355f2488e
Opcode Fuzzy Hash: 26de7e0aeaf293b3c2d738e122c2aaa06f9cef48c88ec3cefaee252df7862de4
Instruction Fuzzy Hash: 6C116B333052209FCB2ACA19CD81A6BF2DAFBD6330B650139EE16C7380C9319C02C790

Uniqueness

Uniqueness Score: -1.00%

Function 01739240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
Instruction ID: 7a4fe161cae5e6e4e6fd6306b8bab7687b253c301c1f8857e4866ab3c51e2be5
Opcode Fuzzy Hash: 347565b80ad46b34d7b3870f5fcdb1f971792d90a37e5c65f40e93cfd8a3e10b
Instruction Fuzzy Hash: 17217871041601DFC762EF28CA84F59B7F9BF28308F50856CE149866A6CB75EA42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017FE962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: be0a598d553c8fb2a62a47180ebedc845341196a569e0427aea32a500c1a725d
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: AD110432600519AFDB19CB58C805AAEFBF5EF88310F058269ED4597354DA31AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01733138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: 4afee54acf6f8431ee0427904446d26cccfbfbd816a01218a08d613cccd22ed0
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: 33118E31A00704AFDB26DF64C808F6AF7B9EBC5314F1485A9E5159B241EA71A842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0176DF4C, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb68034816a1b22d4d42b68bfa87daaead973648ca8f5c3e9f107cae683dcf72
Instruction ID: 420133d06e0b1f2c0d317006beb7ee71cb094f874b84675ac1a8db61576715d8
Opcode Fuzzy Hash: eb68034816a1b22d4d42b68bfa87daaead973648ca8f5c3e9f107cae683dcf72
Instruction Fuzzy Hash: 92118E712116059FD729CF59C850FA6FBF9EF85321F058169E95A8B6A0E770EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017C4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
Instruction ID: a234c00ea519c4b82d2f548016110a9f0cd28269827268e5a51867cf9d7375e1
Opcode Fuzzy Hash: e9b25aeda5454ec8757623f5400b04abc3c2cfd308b796f5e63246e97195e186
Instruction Fuzzy Hash: AD218C71905601CFCB36DF68D424A14FBF2FB86764B90C2AEC1468B299EB35D692CF00

Uniqueness

Uniqueness Score: -1.00%

Function 017428FD, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df54fcd058e05279542594fe9d1d45f7f958ee12d52059f2dbdb4f89812ce1b0
Instruction ID: 45b835ea68f8dd2df16917856249b675b2ae8ba34ae861e00edc01b6a4c4dcbe
Opcode Fuzzy Hash: df54fcd058e05279542594fe9d1d45f7f958ee12d52059f2dbdb4f89812ce1b0
Instruction Fuzzy Hash: CE114E39348740ABF32A536DED48F26FB98DF95B90F140065B9019B3D2DBA4DC00C121

Uniqueness

Uniqueness Score: -1.00%

Function 01762397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
Instruction ID: 7801693e16b6f69227c94cd4847749aa126af4e06f6661352ae6ac8f43f4d01a
Opcode Fuzzy Hash: 5fa2e50fe49eda5b17f82e1d926192082d28369a2bdc841ef34f905594538834
Instruction Fuzzy Hash: 72112B3170431167E7B19A7EAC88B15F6DCFBA1710F14846AFE02D7256DAB4DA408754

Uniqueness

Uniqueness Score: -1.00%

Function 0173C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
Instruction ID: 046aaca74240fb8a14fd23cdd5503e4d60961811c39fd939e78b899033572cc0
Opcode Fuzzy Hash: 42695d370d2d5712e8f19281c693687140b7317a69af5dcdb5e1af19f8700dbd
Instruction Fuzzy Hash: 9411C2323006169BC726AF2DCC89A6AF7A9BBD8710F500629EA4183651DB25EE54CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01734CB0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b013aef0c8ee146a7778a70987bf9a22271e01f303a57be21fb5b62648354d
Instruction ID: 49fe45d7ca01615bd54955899dc8dc7698f30619ebbab967285c4d21128a230f
Opcode Fuzzy Hash: 55b013aef0c8ee146a7778a70987bf9a22271e01f303a57be21fb5b62648354d
Instruction Fuzzy Hash: 3011A3B1610614DFD726CF59E845B67B7E8EF85310F0144A9EA96CB312DB31EC808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0176002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 87bb005dc7c128957fec20f7ab750bae1b63035f7d0e1e489940fc40486b0df6
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: FA11C432605681CFE723972CC958B35FBD8EF81754F4D01E0ED0697AA2D7BAD881C661

Uniqueness

Uniqueness Score: -1.00%

Function 0173A745, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f46335558824988f296d78b2ce02672d1e0ee712e01b01d32a3d7f734d1fff1
Instruction ID: 5d7433f5df2fb927a05b4a7b181cfb3df96e77e358adb2fbd0a8fa5369b61a76
Opcode Fuzzy Hash: 8f46335558824988f296d78b2ce02672d1e0ee712e01b01d32a3d7f734d1fff1
Instruction Fuzzy Hash: 4201F932201205DBDB21EF2DEC45E65F7A8EB42320F0482AEE905CB262DA35D905CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01739080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
Instruction ID: b634827bdc0403a6ce2311f2624e769f129d6119e1683d7919627a22eb5efefc
Opcode Fuzzy Hash: 7b8bf42607a7c2fd03aff08c106c6c9296a48869ea3c1ffd51615e5df4f1cd8c
Instruction Fuzzy Hash: A301F472901605CFD3268F08D848B11FBA9EB82324F214066E601CB696C3B0DD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017CC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 1b0293799375f34c4a4dde4dff1b0c4c60fa7eee920f0a9db495d7e95a75b851
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: B9019671140506BFEB15AF69CC84E62FF7DFF54764F108529F214425A4C731ACA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01763B5A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3db3f29ea2eb01b55beb266236500daf6ab9f2d29a132b36dd58dc8a1500280
Instruction ID: 5a7db1fce4c1e66edfc641377c7c4dc934168325489b8b7d1f0535c01ef85190
Opcode Fuzzy Hash: d3db3f29ea2eb01b55beb266236500daf6ab9f2d29a132b36dd58dc8a1500280
Instruction Fuzzy Hash: B3111C36601554DFCF6ADF48CA80F6ABBB9FB48600F99456CE905A7752C328FD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017F1A5F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c9fd581f1e554970a89d6a31afba284f173d02daa84f0e91c730740297cabc
Instruction ID: a48ff63016b7d9b2773c31296dbfb17dabcd50dee193f70419c21f80d7be16db
Opcode Fuzzy Hash: 07c9fd581f1e554970a89d6a31afba284f173d02daa84f0e91c730740297cabc
Instruction Fuzzy Hash: F3116D71A01209ABCB10EFA9D845EAFBBF8EF44710F40406AFA14EB380D674DA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017331E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 668e4d4ea35864327233f1a61185b1e4c7cd5b2c8349b9bba653c5e523dd4aa5
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: 12012432640B01AFEB32E67ADD04EA7F7EDFFD5A10F044419EA428B592DA30E841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01804015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
Instruction ID: cb96a01ae1daafe49b4dead5cc0497c3db18a7a5fb30c29c64420fd1a4c38b1d
Opcode Fuzzy Hash: b34bc682d1a33b0dbda2c2e366686f3bede228eda523f81bcbed8e2ec26388d4
Instruction Fuzzy Hash: D601D471241646BFD791AB69CD88E13F7ACFF55750B000229FA08C3A11CB74ED11C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 017F1951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2308031544ecf789d0d1cb3bfc2d01a5eb4142762405a75a7a6480bd86a1cbb
Instruction ID: aa4d5a5f5a8bc6fe96767b2e84dc8215371470ef56f23eb558543b07e927559a
Opcode Fuzzy Hash: f2308031544ecf789d0d1cb3bfc2d01a5eb4142762405a75a7a6480bd86a1cbb
Instruction Fuzzy Hash: 83015271A01259ABDB14EFA9D845EAFFBB8EF44710F40406AF950EB380D6749B40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 017F19D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6b0c3c22bf7e39f4c1597d95659c85955106b0b29916707486bbd461511d9e
Instruction ID: b2a97076a0722819c585317f92a3e280e80f0db0d15defb83866c81c40254d9f
Opcode Fuzzy Hash: ab6b0c3c22bf7e39f4c1597d95659c85955106b0b29916707486bbd461511d9e
Instruction Fuzzy Hash: 76015271A01259ABDB14EFA9D845EAFFBB8EF54710F40406AF900EB380DA759B05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F1843, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766f0604374945bf58f90848f86d483b640e6a6ee82878d3c911b2d539cfed4a
Instruction ID: 6a4c04df2bd902f179d207d614b6259b767fb3a408b1d898819761710c32b409
Opcode Fuzzy Hash: 766f0604374945bf58f90848f86d483b640e6a6ee82878d3c911b2d539cfed4a
Instruction Fuzzy Hash: 3B015271E41259ABDB14EFA9D949EAFFBB8EF54710F44406AF900EB380D6749A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017370C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: 901ba2e4e4c06d14dff7eb88672e71c5c1b769c2d632e8abf90569f64603b58f
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: AC118BB2410B02DFD7369E18D880B22FBE1BB94722F158868D5994A5A7C778E881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 017F18CA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c4b34efe9e49330a26ead352859a963b3786254fa7f313ccb29bd122e2655d
Instruction ID: a861c71092d4b330215a7ad5d4ee8cb8a588244375f00c822e88ad07e49b2696
Opcode Fuzzy Hash: e0c4b34efe9e49330a26ead352859a963b3786254fa7f313ccb29bd122e2655d
Instruction Fuzzy Hash: C0015271A01259ABDB14EFA9D845EAFFBB8EF44710F40406AF915EB380D6749A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
Instruction ID: 2a02540a03f2331e2d555d0e69adb7387df00793199a58319771f942e61d9c0a
Opcode Fuzzy Hash: 969f7b5a6d349bc3282fe6a7571660980c4ce0339c5be0e9733fcf2059aeeb63
Instruction Fuzzy Hash: C5015271A01219AFDB14EFA9D845EAEFBB8EF44710F40406AF904EB380D6749A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017F14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
Instruction ID: 69e65eb91438a6ba67fe1552a3023d86129ae8039623722c77cfc1fe50c793fc
Opcode Fuzzy Hash: 5bf6a1dc8ccaa6d1d5a357f89c31daa098d75e31a8eb6f7dbc4d5c386a8e706b
Instruction Fuzzy Hash: AA019671A01248AFCB14EF68D845EAEFBB8EF44710F504066F914EB340D670DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01808450, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction ID: d571a042d8adc131f819cda898b579a47cc04362c8cd0dfbcfad4bd5de4878e4
Opcode Fuzzy Hash: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction Fuzzy Hash: B901D833600A059FE7A69A69DC44F56B7EAFFC6310F09441DE646CB790DA70F980C750

Uniqueness

Uniqueness Score: -1.00%

Function 017358EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
Instruction ID: b146c558f0b04ab0184cb8d81300e6b4a1a8e021b3a9381d6537ffa998cd1eb6
Opcode Fuzzy Hash: 36533dc42b17b03e7d37ef65077d21b89ceefa8097d6cb7b92fcb048aed043f1
Instruction Fuzzy Hash: 9401A731B001099BC714EE69D859ABFF7A8EFC6130F954169DA05D7289DE31DE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017395F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: 58b2845eb4264bb9a5f167e2ffffe5ad47085fc373d257a94410aec400739da8
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: F0014732A02254DBDB129A68C804F29F3A5EBD1728F104155EF058B292DBB4EE40D781

Uniqueness

Uniqueness Score: -1.00%

Function 01808966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e429a5dae8660adf7900ea1c1f2996d9d7bda5feaa72e99053a7d90cc82425a9
Instruction ID: a4f9e80ceb26858dbfa31772d092248324c106e233b01f3c8335a53db8af7e4e
Opcode Fuzzy Hash: e429a5dae8660adf7900ea1c1f2996d9d7bda5feaa72e99053a7d90cc82425a9
Instruction Fuzzy Hash: 7A0129B1E0121DABCB00DFA9D9459AEBBB8FF58310F10446AE901E7380D6749A00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0174B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: e6a1ade354789f16ed383fd0d26640bf737436d49e6aaf5943dddc5a3517a22b
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 2C0184322015809FE726C71DD988F66BBD8EB85750F0900A1FA15CBA61D778DC40C661

Uniqueness

Uniqueness Score: -1.00%

Function 01801074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
Instruction ID: be9cc3b6ecf91ab2bcf039c6f95f967c97f4c551d1c8a1a4104d5ac05d5eb5a7
Opcode Fuzzy Hash: c7670dcb1d2307316795f15a5f01bdf855654a66075418312b1a1c5004c2deab
Instruction Fuzzy Hash: D7014C726047469FC752EF28CC48B1BBBD5AB94320F04C529F986C36D4DE31D640CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017F129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936197fa1538e335e8a5abf3a1d777f5d0c4ae5f409250b43ca291e5a62ae2b9
Instruction ID: 0792491c3fc3ae17f3f36a0a61adbce8cc1474991f4851aee7f07818dbab9d1f
Opcode Fuzzy Hash: 936197fa1538e335e8a5abf3a1d777f5d0c4ae5f409250b43ca291e5a62ae2b9
Instruction Fuzzy Hash: D5017175A01258ABDB14EFA9D809EAFBBB8EF54700F40406AF915EB380D6749A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 017F1751, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9aab54612cb1ff9780c51fe4914dd542bd5ee9ce3d5c207af8ebe45c4d7d4e
Instruction ID: 9d4417c4ccd2b1c646eb3e024e36e7f4e0c66400a28c6a853bb8218fa6e802a5
Opcode Fuzzy Hash: 0e9aab54612cb1ff9780c51fe4914dd542bd5ee9ce3d5c207af8ebe45c4d7d4e
Instruction Fuzzy Hash: E5018871A01218EBDB10EFA5D809EAFFBB8EF54700F40406AF905DB380D5749A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 018089E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31007c3085dacda749608bf27ea502300f0f22ef4eef5a4b8644acb4b26d179f
Instruction ID: b3ed2ce32f64f5f34aa319810cbff68efb3e508322b45edd74fb24445987736a
Opcode Fuzzy Hash: 31007c3085dacda749608bf27ea502300f0f22ef4eef5a4b8644acb4b26d179f
Instruction Fuzzy Hash: 23012171A0121DAFDB00DFA9D9459AEFBB8EF59310F50405AF905E7340D6349A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01808ADD, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec32737ba0eebb13c4642b593162e720c2f9f09994c98efeada3ca705608d30
Instruction ID: c351023f63c6db5e7baf6f4610f6dc942a4c47987dd53073cdd3f9b8f8b4b674
Opcode Fuzzy Hash: cec32737ba0eebb13c4642b593162e720c2f9f09994c98efeada3ca705608d30
Instruction Fuzzy Hash: EB012CB1A0161DAFDB00DFA9D9559EEFBB8FF59310F50405AFA04E7380D634AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01808A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
Instruction ID: 8e9af03eff5de669192c76f4f18be7700cb14293dfb1ee9348a99a5b04436382
Opcode Fuzzy Hash: 814a3f928c69f074fca3789c1118745b2cd9cc118dc223d0d78e55c1a4940d56
Instruction Fuzzy Hash: 0B012C71A0121DAFCB04DFA9D9459AEFBB8EF59310F50405AFA04E7381E634AA40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01809CB3, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd333cdc9fe68b94fb04de4fe9040d58d53a912a1f50b02c0fde3cd24a10ac80
Instruction ID: 3eb8cdc8c6837c0dfb5c1dd310bde5aa685c787c887caba0609f32b2e16711e8
Opcode Fuzzy Hash: bd333cdc9fe68b94fb04de4fe9040d58d53a912a1f50b02c0fde3cd24a10ac80
Instruction Fuzzy Hash: B2012171A0121D9FDB00DFA9D945AAEFBB8FF58314F50405AFA04E7381D674AA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0173DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: c0f34cd64cb8308d58b1a928ad6415790437a6fb474106abdb9e6483d9abe7fb
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 58F046332006239BD3372AD9C888F2BFA969FD1A60F160035F2059B34ACF708C0282E0

Uniqueness

Uniqueness Score: -1.00%

Function 0173B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: b1a957c87780837d90b41716976144f4add45ca6ddcc375e88b26330c1c58812
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: DB01F432204A809BD726976DD908F69FB98EF91750F0800A1FE158B6B2D678C941C315

Uniqueness

Uniqueness Score: -1.00%

Function 01737057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb679580d62f6283512ddf3fddb25dd4b6861cf779cf9d3f0cc306fc0696897
Instruction ID: 5b01f7b352cb10d00d251c30ef8b532a0e7ce29aae90c72e346cf85ddad334da
Opcode Fuzzy Hash: afb679580d62f6283512ddf3fddb25dd4b6861cf779cf9d3f0cc306fc0696897
Instruction Fuzzy Hash: 1E01AD31200608ABD735DF58DD09FABFBF9EF84700F10056DE90583191DAB1AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01809BBE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537b38804eb63a6be0d81c8e2595f822ad4b903ff8d861741021e9d11ecb3362
Instruction ID: ed201936e9227e50aaa2c3be12c79af6eb8f85e1a840a567a60907b53ea9176a
Opcode Fuzzy Hash: 537b38804eb63a6be0d81c8e2595f822ad4b903ff8d861741021e9d11ecb3362
Instruction Fuzzy Hash: B4017C71E0120D9FCB00DFA8D845AAEBBB8AF58310F14405AE905EB280E734AA00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 017F1229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc82eab9d2e4b482d5444490c6e0a52894dac9cefb2b19cef715312506c6e304
Instruction ID: 8443164bc08796468cc8d751b4b1bf81b87df27b61144cfb807632a0a4e70f58
Opcode Fuzzy Hash: cc82eab9d2e4b482d5444490c6e0a52894dac9cefb2b19cef715312506c6e304
Instruction Fuzzy Hash: D001A976B15218EBDB14DFF9C4059AFF7B8EF54710F40809AEA11E7290E9749A00C790

Uniqueness

Uniqueness Score: -1.00%

Function 01731480, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction ID: 108c8bccc9b7ada2a425aaf2710f143d2e015cea026309f37b0fbc87b366a82a
Opcode Fuzzy Hash: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction Fuzzy Hash: 74F08C36B01108ABDB25DA49C840EBEFBADDBC4610F5401AAA905E7646DA70AE028790

Uniqueness

Uniqueness Score: -1.00%

Function 01765AA0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction ID: 2bebf11e4115ce403af19d7f9678514ab6de7bced1c3c7ffc361c1d844fad753
Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction Fuzzy Hash: 9401D6715417499FDB229B18C888F2DBB9CAB41760F484252FD148B291D7B4EA409751

Uniqueness

Uniqueness Score: -1.00%

Function 01733591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: 24f8eb43fce7049f8b414d230d54c46ece181fa772d3c92db166b7a3400b379a
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 68F0FC71A012099BEB35DB798850FFAFBA8FFD4710F148255DE05D7182DA71D9408790

Uniqueness

Uniqueness Score: -1.00%

Function 017EFDD3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b564a39ba5ed0e0f635df5adb04bc196e93aa91ff10e4221419fd2fef3343d03
Instruction ID: c85f4bf9db6246eccc03a684fd74f65023386576c16de6254d571151c3de8400
Opcode Fuzzy Hash: b564a39ba5ed0e0f635df5adb04bc196e93aa91ff10e4221419fd2fef3343d03
Instruction Fuzzy Hash: 36F0C231B01658ABDF04EBA9D80AE7EF3F4EF48700F4041A9FA01EB690EA70E901C745

Uniqueness

Uniqueness Score: -1.00%

Function 01731BE9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction ID: 35221a5bd624737e44db5e570859b7a521cc4ddf3e5a396ca8c05f9f842fe555
Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction Fuzzy Hash: 0FF0F031614208ABE719CB2ACC00B56F7EEEF98300F1080B89949C7261FAB2ED01D354

Uniqueness

Uniqueness Score: -1.00%

Function 017F131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
Instruction ID: 866cbe7e6607244a13337ff55aabedd6a93e32560dc140634eb657281c7b255f
Opcode Fuzzy Hash: 3f73b759cfef0e6580e9d02361c6abc7b5d6eb7087833b65f31e8ddc05161e9d
Instruction Fuzzy Hash: 2D013C71A01209EFCB04EFA9D549AAEFBF4FF18700F508069F905EB381E6749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0175C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
Instruction ID: 5b3675f9c76e7365fda4f37dcc149c65916d1624476a66f4b0390348300e0ffa
Opcode Fuzzy Hash: 0334cce06e719f536984ac49a51542b399e9b0acf7d16f5f1a41a0d83ee0445b
Instruction Fuzzy Hash: 65F09AB29257949EE7B787AC8004B22FFEC9B0567CF7484A6DD1687242C6F4DC80C261

Uniqueness

Uniqueness Score: -1.00%

Function 017F2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
Instruction ID: de7b745b8804a995b3601b6be131511c7438c274eec65c7a32beafb22781608d
Opcode Fuzzy Hash: 7d942c3476e8549a940a0eb299d94ef2cb8a709eebeeb72942e1f02034579942
Instruction Fuzzy Hash: D9F0A02B4151958BEF33AF2875193E3EFD2D75A110F49848AD6905730EC979CA93CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0177927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: f42ff67adb177f12c92728ba34f01d252c6cadcc21362362e0fb83110ad6ee0f
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 90E0E5322416016BEB11AE09CC84B03B669DF92724F004078BA001E242C6E6D90887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01808D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
Instruction ID: da664a2beed700b02c6ed0e5b4ef67493397222c93746ada7eb55fc42191e6e1
Opcode Fuzzy Hash: 5c61699103a3ef10f30a05a9eb8cf02560903f2a4cb82d7e41e081a3ed4a98e7
Instruction Fuzzy Hash: 46F05470E0560D9FDB14EFB8D545A6EB7B4EF14700F508199E905EB395EA34DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01808C14, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90637ab5f00b9295ef17fd3f743900c0b17a0feeb05da57d8a7207b65ac3ac60
Instruction ID: c34e96e92abd5069d35d4d08eddc7e1caa7fd59d5c682230450722e57b738490
Opcode Fuzzy Hash: 90637ab5f00b9295ef17fd3f743900c0b17a0feeb05da57d8a7207b65ac3ac60
Instruction Fuzzy Hash: 7CF0B470E0520D9FDB54EFB8D905A6EB7B4FF14300F404459A905EB380EA34DA00CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01808C75, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7adee7e0291ff838b8768bc797504dbdb01b63b4c6fb8598ae1994d93eac21
Instruction ID: dd2810e8779e63a0d0f84a933e05cda91d6a19887bbd9f6b6f7fd8d78134b3f5
Opcode Fuzzy Hash: 5c7adee7e0291ff838b8768bc797504dbdb01b63b4c6fb8598ae1994d93eac21
Instruction Fuzzy Hash: 08F0BE70E1524DAFDB54EFB8D90AE6EB7B4EF14304F4040A9A905EB381EA34DA00CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01808BB6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431f485315c90fe552a760aa5703f852b54483720cc042be87acbfadd445274a
Instruction ID: 6a20c3935b49624218793d0d37b0745e409c5d7a7de28fecd1e07d317f6c3458
Opcode Fuzzy Hash: 431f485315c90fe552a760aa5703f852b54483720cc042be87acbfadd445274a
Instruction Fuzzy Hash: A6F08270A0565DAFDB14EFA8D91AE6EB7B4EF04304F544059BA05DB2C1EA74DA00C798

Uniqueness

Uniqueness Score: -1.00%

Function 017F1BA8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194bf6bc042e56ebb1699eb16d764937e79cd474035922c43de9cb9ecb9654a3
Instruction ID: df47bbdcad7b7c4c758cf6bbf15298a5b14ebd0b762494f0c00f369c057ce311
Opcode Fuzzy Hash: 194bf6bc042e56ebb1699eb16d764937e79cd474035922c43de9cb9ecb9654a3
Instruction Fuzzy Hash: D9F08271A0524DEBDF14EBE9D44AAAFB7B4EF18304F400099EA05EB384E974DA00C758

Uniqueness

Uniqueness Score: -1.00%

Function 01808B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
Instruction ID: ca56ec9fdd32d3807ae43c82d9bde9f350c2adb7865a3b615b49b1a5b3cf1e3b
Opcode Fuzzy Hash: 80c7b65b09633e25d18e9b72e99e5366e1c8a18718e70e9ed8d47337952d1c4b
Instruction Fuzzy Hash: EFF082B0A0565DABDF14EBA8D91AE7EB7B4EF04304F540459BA05DB3C0EA74DA00C798

Uniqueness

Uniqueness Score: -1.00%

Function 0175746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
Instruction ID: 38c78d3753fc2000580d0d3e4d946ec9641ec83785128c03e2a5ab139c5da35a
Opcode Fuzzy Hash: 58ea949e9598caab418244d01ef6c8b4bc7fd89dd1aabf04e2bfced684346d98
Instruction Fuzzy Hash: F6F0E234A00245AADF8A9B6CC880F79FFB1AF14320F840295DD61EF162E7F89802C785

Uniqueness

Uniqueness Score: -1.00%

Function 01808CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
Instruction ID: ce6f2a07470a72548fa20e69dccd231f5c9ebbaa23afe8fd9403e82af11dacec
Opcode Fuzzy Hash: 72920868366604045b380bbf6d5191bb705daa7ad4d13a714abf3c9181f0defa
Instruction Fuzzy Hash: 4AF08270A0520DAFDF04EBA8D94AE6EB7B4EF19304F500299E915EB2C0EA34DA40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0173354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dbe4bdcb47b783146aa6a25dfebdb63dc34858e8cda8603fbe3f4d5300b1f6
Instruction ID: f1f5be1df83bffe00326e59c2cada31bd1add8c2d9ecbcec6974509dfde4cdb1
Opcode Fuzzy Hash: a9dbe4bdcb47b783146aa6a25dfebdb63dc34858e8cda8603fbe3f4d5300b1f6
Instruction Fuzzy Hash: ADF02032A912888FD732E32CC004F22FBD8EB09B70FA540A1E804CB983C338CD80C680

Uniqueness

Uniqueness Score: -1.00%

Function 0176A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
Instruction ID: e804c375d94e8e4f0530030c31adebca5074cac48354c4e09e0c50c33402c1bf
Opcode Fuzzy Hash: e32ad6282a3381088e99430a7109603fe722a38d6cd0a48f893dcde78b9cbd12
Instruction Fuzzy Hash: 4DE09272A01421ABD3225F18AC00F66F79DDBE5651F0A4035EA05D7214D668DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0173F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 03c5bb8b85c3c1a0e702f7cf785dd427a9293690c06c4a08b25dc491655aa47e
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 37E0DF32A41118FBDB21AADD9E09FAAFFACDB98AA0F000196FE04D7150D5759E40D2D2

Uniqueness

Uniqueness Score: -1.00%

Function 017315C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: c32b6cc98c6ade3abc1d2d2f8562ef1a9998508733396a43280e9a95d92f9b17
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: 8CE02231240286D3CF32AB48C400BB6F7A9AFE1700FA88071E8028B583DBA0DC42C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 0175E760, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6946523e3f3a547cfcf68fa6d7a32428f2f13356e0f396f6972e1334928c8311
Instruction ID: 636fb2c0588a1abb61dd47f86f093e61d2fb422ff01f8d755f96dcb071ad7ae0
Opcode Fuzzy Hash: 6946523e3f3a547cfcf68fa6d7a32428f2f13356e0f396f6972e1334928c8311
Instruction Fuzzy Hash: 33F0A031994284DEEB62D76CC044B22FBE89B85270FA846A5DA06C7152D6B6D980E260

Uniqueness

Uniqueness Score: -1.00%

Function 01775C70, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
Instruction ID: 434bf7dba0d8c2d9e31a4efde7ef88b3912d8abce6faa1c9ac0b812d6bce9a5e
Opcode Fuzzy Hash: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
Instruction Fuzzy Hash: 11E04F7110024AAFFF11DB49C949F25BFA9AB44720F04C555A6198B1A1C774D984CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0174FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
Instruction ID: 57e8100a697656fea21b0067bc20599288f15fa51c0533dc96bbe3d72d7d6313
Opcode Fuzzy Hash: af34ee8d24f8b5c30c8464365108d1b4588d0e4c4528dc3e91c24d61c674565c
Instruction Fuzzy Hash: CBE0DFB06092449FD736DB6DE040F26FB989B53721F19805DE4084B902C721D880C286

Uniqueness

Uniqueness Score: -1.00%

Function 017C41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
Instruction ID: ca8c12aefe9cc889ffdc755ec4be3dbdf7ad7fed5afbe3b00d5711921c82346d
Opcode Fuzzy Hash: 2a0a3d2272f4b770ccc3ed7d87810fe2f7cae24addfe982f0760e3977b9b62f4
Instruction Fuzzy Hash: C4F0F2748507019FEFB3EFA9D919714B6E4F75A721F80812AD1018628CC73446A5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 017ED380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 625fad27184bf7aaaa1d84af99a37fd9b91368a6b008d05edcd961c66f01d0ed
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: DEE0C231284205FBDB325E88CC04FA9FB96DB547A0F104031FE085AA91CA719C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 01732CDB, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2301cbb80807bd86986fb20a83a6222ed7f6f329ba40549649f5f350f115ca8
Instruction ID: 0d7b80ddcc1b857dbaf06b6727d1f56d4eb6e87e9f1749d27b5ef65f1d066407
Opcode Fuzzy Hash: a2301cbb80807bd86986fb20a83a6222ed7f6f329ba40549649f5f350f115ca8
Instruction Fuzzy Hash: E7E08C31051221EFDB322A28EC08F52FAA1BB90721F200469E181050AA8AB09881DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0176A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
Instruction ID: ec3e989b641143dac54a08046e29dd1bd431dedd2fbee900222a7526e9adca0f
Opcode Fuzzy Hash: 5d32d588f24e1b48649e8fcb3c15794c47ee0179ca924764dc550edb78a2cfd0
Instruction Fuzzy Hash: B8D02B711200409BC72F1700AD18B217666F784750F34480CFF078B995FDA08DD88108

Uniqueness

Uniqueness Score: -1.00%

Function 017B53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: e4572ecb3bd6e87a0bae5a9bdc543648b1a2ad47fa695b670bad08475ecc9e90
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: ECE08C319007809BCF12EB8CC694F8EFBF5FB44B00F140414A5085B720C778AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0174AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 7a0ca24b600977940af00fc175c5618a015eb61380b8fdb626638b867a370b0e
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 8ED0E935352980CFD717CB1DC958B1577A4BB44B84FC50490E501CB762E72CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 017635A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 082a052ad952966c7a3b3a65089b55bbdc73a210712e643a1fac9554b9ea10a1
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 3BD0C9315515869AEB52AB78C238B68FBBABB00218F7820A5994B07957C33A4A5AD601

Uniqueness

Uniqueness Score: -1.00%

Function 0173DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: d26a5fbf54819dd710e6396729bd6d3f27da1b0b91a1dc81a40811fb1ff4c549
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 74C08C70280A01AAEB361F20CD01B00BAA1BB50B41F8400A06702DA0F0EBB9DC01E610

Uniqueness

Uniqueness Score: -1.00%

Function 017BA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 6e8f093a9377588ebcd1485530d0ed90f26ed94c558bd52377c24a31af662449
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 42C01232080248BBCB126E82CC00F06BB2AEBA8B60F008010BA080A5608672E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 01753A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 11fff886b8ce5e9ec1630b30e02cf62435839d2d406878590fa82b84f6ef8eb0
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: B3C08C32080248BBC7126F41DC00F01BB29E7A0B60F000020BA050A5608572ECA0D598

Uniqueness

Uniqueness Score: -1.00%

Function 0173AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2c88e266978f74eb3720907d16dc77a4f54cf72c7994071162fe080b258eecc0
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: D2C02B330C0248BBC7126F45DD00F01BF2DE7A0B60F000020FA040B671C972EC61D588

Uniqueness

Uniqueness Score: -1.00%

Function 01764190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: 5b33d354b1317c062563c5cf6e50cd87f4c3c3bd99b895183292f2406ac52f47
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 6CC04C757516418FCF15CB29C284F1577E4B744744F550890E805CB725D664E940CA10

Uniqueness

Uniqueness Score: -1.00%

Function 017E8D47, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 68dbd754c01615185f225091158ad72ca2d23380ed68976a868f7437e1ef829c
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 9AC04C1E1556C949CE278F2442167D5BFA0D7469D0F191481D4D11F512C11545539626

Uniqueness

Uniqueness Score: -1.00%

Function 01757D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: b3799b0459a3d0a9ffe81802f51ac5ce18e755cbc8a7d304621234e400cac126
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 61B09235301A408FCF6ADF18C080B1573E4BB44A40BC400D0E800CBA21D229E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 01762ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: fe09063f7c68f9b26bc6c92c97366b4057fdd4a0ffda5cc81fe72a3704c930ab
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 17B01232C10841CFCF02EF84C610F19B331FB00760F0544A0900127930C72CAC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017340FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E017340FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x182d360 ^ _t107;
				_v8 =  *0x182d360 ^ _t107;
				_t105 = __ecx;
				if( *0x18284d4 == 0) {
					L5:
					return E0177B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E0174E9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E017342EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E017341EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = L017796C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E0173429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E017C5720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E0177FA60( &_v548, 0, 0x214);
						_t106 =  *0x18284d4;
						_t110 = _t108 + 0x20;
						 *0x182b1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x18284d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E0177B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E017C5720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E01781480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E017C5720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E01781150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E017C5720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E017B3E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E017C5720();
						goto L15;
					}
					L8:
					_t56 = E017341F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x0173410d
0x0173410f
0x0173411c
0x0173411e
0x01734158
0x01734168
0x01734168
0x01734126
0x01734130
0x0173413c
0x017904a2
0x01734142
0x0173414b
0x0173414b
0x0173414f
0x0173416b
0x01734171
0x01734176
0x01734178
0x017341d0
0x017341d2
0x017341d3
0x017341a7
0x017341ae
0x017341b0
0x017341db
0x017341b2
0x017341b8
0x017341bf
0x017341c1
0x017341c1
0x017341c1
0x017341c3
0x017341c5
0x017341df
0x017341e2
0x017341e2
0x017341c7
0x017341c9
0x01790628
0x01790628
0x01790630
0x01790631
0x01790633
0x01790635
0x01790635
0x00000000
0x017341c9
0x0173417d
0x01734183
0x01734189
0x0173418e
0x01734190
0x017904a9
0x017904af
0x00000000
0x00000000
0x017904b5
0x017904c8
0x017904d5
0x017904e5
0x017904ea
0x017904f6
0x01790518
0x0179051e
0x01790520
0x01790522
0x00000000
0x00000000
0x01790528
0x0179052e
0x01790530
0x00000000
0x00000000
0x0179053b
0x0179053d
0x00000000
0x00000000
0x01790545
0x0179054c
0x0179054e
0x01790623
0x00000000
0x01790623
0x01790556
0x01790557
0x0179056f
0x01790574
0x01790583
0x0179058a
0x0179058b
0x0179058d
0x017905b5
0x017905c0
0x017905c6
0x017905c8
0x017905cb
0x017905cd
0x017905d3
0x017905d5
0x00000000
0x00000000
0x00000000
0x00000000
0x017905db
0x017905db
0x017905e3
0x017905e7
0x017905e9
0x017905eb
0x017905ed
0x017905ed
0x017905fa
0x017905ff
0x01790606
0x0179060b
0x0179060d
0x00000000
0x00000000
0x01790613
0x01790613
0x01790616
0x01790616
0x00000000
0x0179061e
0x0179058f
0x01790594
0x01790596
0x01790598
0x00000000
0x0179059d
0x01734196
0x01734198
0x0173419d
0x0173419f
0x00000000
0x00000000
0x017341a1
0x00000000
0x01734151
0x01734151
0x01734151
0x00000000
0x01734151

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 017904BF
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01790566
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 017905AC
Execute=1, xrefs: 0179057D
ExecuteOptions, xrefs: 0179050A
CLIENT(ntdll): Processing section info %ws..., xrefs: 017905F1
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0179058F

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bc8cd64315bfdac5a0ebb38547c9bf5dd50b7848beb9b96a557ac9b2a66829ca
Instruction ID: 23aa2752964726cb532f986f8d7c03b6f9631508e52ac28a3c5614bcafddd340
Opcode Fuzzy Hash: bc8cd64315bfdac5a0ebb38547c9bf5dd50b7848beb9b96a557ac9b2a66829ca
Instruction Fuzzy Hash: D4614B71740619BAEF25AA98EC89FB9F7A9EF64700F0400D9E606A7182D7709A458F60

Uniqueness

Uniqueness Score: -1.00%

Function 01771CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

@, xrefs: 01771D1B
$, xrefs: 01771D37

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 02cff2fd4ec91fa4f18c6e4bc39f7b14ff75036b91290a935dcb94cf3d10e2a3
Instruction ID: 0ba3438b48fee700f5ae19279c2161e718ef02174bb00645a39142675590f52c
Opcode Fuzzy Hash: 02cff2fd4ec91fa4f18c6e4bc39f7b14ff75036b91290a935dcb94cf3d10e2a3
Instruction Fuzzy Hash: ED812871D002699BDB35DF94CC44BEEBAB8AB49710F4042EAEA09B7640D7705E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017CFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017CFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017CFE2B

Memory Dump Source

Source File: 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp, Offset: 01710000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
Instruction ID: 326d02498f02f25a2659a37cd36b26988af972938c4fd83efcbee36b9d59a2a3
Opcode Fuzzy Hash: 040f9a1f733bf94000c2e126ee1664897dc1de3505e3d4df87bff845ab677267
Instruction Fuzzy Hash: 25F0FC72200501BFE6201A45DC05F23FF5ADB44B30F14431CF614561E1D962F86086F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior