Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name: Quotation.exe
Analysis ID: 1546656
MD5: fbd9ee316d3beb79ca69987ddc7563a3
SHA1: 9330cd86914cc967b3757cfd56e261661a207358
SHA256: dd15fe7ea08743edcf83e3511206a76569d339d9c6e10a99e7d977f911131b76
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook, GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Quotation.exe ReversingLabs: Detection: 44%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: Quotation.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:59645 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.4:59646 version: TLS 1.2
Source: Quotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004065AD FindFirstFileW,FindClose, 0_2_004065AD
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:59643
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:59644
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:59645 -> 142.250.186.174:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: Quotation.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Quotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Quotation.exe, 00000004.00000001.2043874157.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/r
Source: Quotation.exe, 00000004.00000002.2282531159.0000000034D60000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262040393.0000000005784000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP
Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIPLo
Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIPRo
Source: Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Quotation.exe, 00000004.00000003.2215204628.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222512329.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222784659.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222813842.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262103359.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download
Source: Quotation.exe, 00000004.00000003.2215204628.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222512329.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222784659.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262193150.00000000057BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=download$
Source: Quotation.exe, 00000004.00000003.2222813842.000000000579E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2262103359.000000000579E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1l5psgXqmdwL1ZJzDGG3LfEbvUw5V8LIP&export=downloadl
Source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Quotation.exe, 00000004.00000003.2169438323.00000000057FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 59646 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59646
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59645
Source: unknown Network traffic detected: HTTP traffic on port 59645 -> 443
Source: unknown HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:59645 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.4:59646 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Quotation.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A435C0 NtCreateMutant,LdrInitializeThunk, 4_2_35A435C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_35A42DF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A43090 NtSetValueKey, 4_2_35A43090
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A43010 NtOpenDirectoryObject, 4_2_35A43010
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A43D10 NtOpenProcessToken, 4_2_35A43D10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A43D70 NtOpenThread, 4_2_35A43D70
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A439B0 NtGetContextThread, 4_2_35A439B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A44650 NtSuspendThread, 4_2_35A44650
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A44340 NtSetContextThread, 4_2_35A44340
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42DB0 NtEnumerateKey, 4_2_35A42DB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42DD0 NtDelayExecution, 4_2_35A42DD0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42D30 NtUnmapViewOfSection, 4_2_35A42D30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42D00 NtSetInformationFile, 4_2_35A42D00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42D10 NtMapViewOfSection, 4_2_35A42D10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42CA0 NtQueryInformationToken, 4_2_35A42CA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42CF0 NtOpenProcess, 4_2_35A42CF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42CC0 NtQueryVirtualMemory, 4_2_35A42CC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42C00 NtQueryInformationProcess, 4_2_35A42C00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42C60 NtCreateKey, 4_2_35A42C60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42C70 NtFreeVirtualMemory, 4_2_35A42C70
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42FA0 NtQuerySection, 4_2_35A42FA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42FB0 NtResumeThread, 4_2_35A42FB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42F90 NtProtectVirtualMemory, 4_2_35A42F90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42FE0 NtCreateFile, 4_2_35A42FE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42F30 NtCreateSection, 4_2_35A42F30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42F60 NtCreateProcessEx, 4_2_35A42F60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42EA0 NtAdjustPrivilegesToken, 4_2_35A42EA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42E80 NtReadVirtualMemory, 4_2_35A42E80
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42EE0 NtQueueApcThread, 4_2_35A42EE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42E30 NtWriteVirtualMemory, 4_2_35A42E30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42BA0 NtEnumerateValueKey, 4_2_35A42BA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42B80 NtQueryInformationFile, 4_2_35A42B80
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42BE0 NtQueryValueKey, 4_2_35A42BE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42BF0 NtAllocateVirtualMemory, 4_2_35A42BF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42B60 NtClose, 4_2_35A42B60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42AB0 NtWaitForSingleObject, 4_2_35A42AB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42AF0 NtWriteFile, 4_2_35A42AF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A42AD0 NtReadFile, 4_2_35A42AD0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx, 0_2_004036DA
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_73402351 0_2_73402351
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAD5B0 4_2_35AAD5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD95C3 4_2_35AD95C3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC7571 4_2_35AC7571
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACF43F 4_2_35ACF43F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACF7B0 4_2_35ACF7B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A017EC 4_2_35A017EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC16CC 4_2_35AC16CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A55630 4_2_35A55630
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B1B0 4_2_35A1B1B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A4516C 4_2_35A4516C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC70E9 4_2_35AC70E9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACF0E0 4_2_35ACF0E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF0CC 4_2_35ABF0CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A5739A 4_2_35A5739A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC132D 4_2_35AC132D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD34C 4_2_359FD34C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A152A0 4_2_35A152A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D2F0 4_2_35A2D2F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D1D26 4_2_359D1D26
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC7D73 4_2_35AC7D73
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC1D5A 4_2_35AC1D5A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACFCF2 4_2_35ACFCF2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A29C20 4_2_35A29C20
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACFFB1 4_2_35ACFFB1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D3FD5 4_2_359D3FD5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D3FD2 4_2_359D3FD2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACFF09 4_2_35ACFF09
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A19EB0 4_2_35A19EB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA5910 4_2_35AA5910
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2B950 4_2_35A2B950
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A138E0 4_2_35A138E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D800 4_2_35A7D800
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A85BF0 4_2_35A85BF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A4DBF9 4_2_35A4DBF9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACFB76 4_2_35ACFB76
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A55AA0 4_2_35A55AA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AADAAC 4_2_35AADAAC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB1AA3 4_2_35AB1AA3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABDAC6 4_2_35ABDAC6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A83A6C 4_2_35A83A6C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACFA49 4_2_35ACFA49
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC7A46 4_2_35AC7A46
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD0591 4_2_35AD0591
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A10535 4_2_35A10535
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB4420 4_2_35AB4420
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC2446 4_2_35AC2446
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0C7C0 4_2_35A0C7C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A10770 4_2_35A10770
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A34750 4_2_35A34750
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2C6E0 4_2_35A2C6E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD21AE 4_2_35AD21AE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD01AA 4_2_35AD01AA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC41A2 4_2_35AC41A2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC81CC 4_2_35AC81CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A00100 4_2_35A00100
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAA118 4_2_35AAA118
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A98158 4_2_35A98158
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA2000 4_2_35AA2000
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD03E6 4_2_35AD03E6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1E3F0 4_2_35A1E3F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACA352 4_2_35ACA352
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A902C0 4_2_35A902C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB0274 4_2_35AB0274
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A28DBF 4_2_35A28DBF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1AD00 4_2_35A1AD00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AACD1F 4_2_35AACD1F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB0CB5 4_2_35AB0CB5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A00CF2 4_2_35A00CF2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A10C00 4_2_35A10C00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1EC60 4_2_35A1EC60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8EFA0 4_2_35A8EFA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1CFE0 4_2_35A1CFE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A02FC8 4_2_35A02FC8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A52F28 4_2_35A52F28
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A30F30 4_2_35A30F30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB2F30 4_2_35AB2F30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A84F40 4_2_35A84F40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A22E90 4_2_35A22E90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACCE93 4_2_35ACCE93
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACEEDB 4_2_35ACEEDB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACEE26 4_2_35ACEE26
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A10E59 4_2_35A10E59
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A129A0 4_2_35A129A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A26962 4_2_35A26962
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F68B8 4_2_359F68B8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3E8F0 4_2_35A3E8F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1A840 4_2_35A1A840
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A12840 4_2_35A12840
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACEB89 4_2_35ACEB89
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC6BD7 4_2_35AC6BD7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACAB40 4_2_35ACAB40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0EA80 4_2_35A0EA80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 35A45130 appears 56 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 35A8F290 appears 100 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 359FB970 appears 247 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 35A7EA12 appears 70 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 35A57E54 appears 103 times
PE / OLE file has an invalid certificate
Source: Quotation.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Quotation.exe, 00000004.00000003.2224464006.000000003594B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 00000004.00000002.2282846569.0000000035CA1000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 00000004.00000003.2222345921.0000000035783000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Uses 32bit PE files
Source: Quotation.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal88.troj.evad.winEXE@3/12@4/2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx, 0_2_004036DA
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\overlays Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Temp\nsi1716.tmp Jump to behavior
Source: Quotation.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quotation.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Quotation.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Quotation.exe File read: C:\Users\user\Desktop\Quotation.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File written: C:\Users\user\Music\antithetic.ini Jump to behavior
Source: Quotation.exe Static file information: File size 1189752 > 1048576
Source: Quotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000004.00000002.2282846569.00000000359D0000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2224464006.000000003581E000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2222345921.0000000035660000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000002.2282846569.0000000035B6E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 00000004.00000001.2043874157.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2045391530.000000000592C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_73402351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73402351
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D1368 push eax; iretd 4_2_359D1369
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D27FA pushad ; ret 4_2_359D27F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D225F pushad ; ret 4_2_359D27F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A009AD push ecx; mov dword ptr [esp], ecx 4_2_35A009B6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359D283D push eax; iretd 4_2_359D2858
Drops PE files
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Quotation.exe API/Special instruction interceptor: Address: 5FBF2E9
Source: C:\Users\user\Desktop\Quotation.exe API/Special instruction interceptor: Address: 285F2E9
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Quotation.exe RDTSC instruction interceptor: First address: 5F693CE second address: 5F693CE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F772CBCD574h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test edx, 4B77E884h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Quotation.exe RDTSC instruction interceptor: First address: 28093CE second address: 28093CE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F772CBDCE84h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test edx, 4B77E884h 0x0000000e rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD16A6 rdtsc 4_2_35AD16A6
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp1B2F.tmp\System.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\Quotation.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Quotation.exe API coverage: 0.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Quotation.exe TID: 8024 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004065AD FindFirstFileW,FindClose, 0_2_004065AD
Source: Quotation.exe, 00000004.00000002.2262103359.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000004.00000003.2223028388.00000000057AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Quotation.exe, 00000004.00000002.2262040393.0000000005748000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Quotation.exe API call chain: ExitProcess graph end node
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD16A6 rdtsc 4_2_35AD16A6
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_00403148 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfW,LdrInitializeThunk, 0_2_00403148
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_73402351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73402351
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h] 4_2_35A215A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h] 4_2_35A215A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h] 4_2_35A215A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h] 4_2_35A215A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215A9 mov eax, dword ptr fs:[00000030h] 4_2_35A215A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F758F mov eax, dword ptr fs:[00000030h] 4_2_359F758F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F758F mov eax, dword ptr fs:[00000030h] 4_2_359F758F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F758F mov eax, dword ptr fs:[00000030h] 4_2_359F758F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h] 4_2_35A935BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h] 4_2_35A935BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h] 4_2_35A935BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A935BA mov eax, dword ptr fs:[00000030h] 4_2_35A935BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF5BE mov eax, dword ptr fs:[00000030h] 4_2_35ABF5BE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A9D5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A9D5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A9D5B0 mov eax, dword ptr fs:[00000030h] 4_2_35A9D5B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD35B6 mov eax, dword ptr fs:[00000030h] 4_2_35AD35B6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8B594 mov eax, dword ptr fs:[00000030h] 4_2_35A8B594
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8B594 mov eax, dword ptr fs:[00000030h] 4_2_35A8B594
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A215F4 mov eax, dword ptr fs:[00000030h] 4_2_35A215F4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A355C0 mov eax, dword ptr fs:[00000030h] 4_2_35A355C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD55C9 mov eax, dword ptr fs:[00000030h] 4_2_35AD55C9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D5D0 mov eax, dword ptr fs:[00000030h] 4_2_35A7D5D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D5D0 mov ecx, dword ptr fs:[00000030h] 4_2_35A7D5D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A295DA mov eax, dword ptr fs:[00000030h] 4_2_35A295DA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h] 4_2_35AD35D7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h] 4_2_35AD35D7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD35D7 mov eax, dword ptr fs:[00000030h] 4_2_35AD35D7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABB52F mov eax, dword ptr fs:[00000030h] 4_2_35ABB52F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3D530 mov eax, dword ptr fs:[00000030h] 4_2_35A3D530
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3D530 mov eax, dword ptr fs:[00000030h] 4_2_35A3D530
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D534 mov eax, dword ptr fs:[00000030h] 4_2_35A0D534
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5537 mov eax, dword ptr fs:[00000030h] 4_2_35AD5537
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A37505 mov eax, dword ptr fs:[00000030h] 4_2_35A37505
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A37505 mov ecx, dword ptr fs:[00000030h] 4_2_35A37505
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3B570 mov eax, dword ptr fs:[00000030h] 4_2_35A3B570
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3B570 mov eax, dword ptr fs:[00000030h] 4_2_35A3B570
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h] 4_2_35AAB550
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h] 4_2_35AAB550
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB550 mov eax, dword ptr fs:[00000030h] 4_2_35AAB550
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB562 mov eax, dword ptr fs:[00000030h] 4_2_359FB562
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A334B0 mov eax, dword ptr fs:[00000030h] 4_2_35A334B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA74B0 mov eax, dword ptr fs:[00000030h] 4_2_35AA74B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB480 mov eax, dword ptr fs:[00000030h] 4_2_359FB480
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A09486 mov eax, dword ptr fs:[00000030h] 4_2_35A09486
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A09486 mov eax, dword ptr fs:[00000030h] 4_2_35A09486
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F74B0 mov eax, dword ptr fs:[00000030h] 4_2_359F74B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F74B0 mov eax, dword ptr fs:[00000030h] 4_2_359F74B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA94E0 mov eax, dword ptr fs:[00000030h] 4_2_35AA94E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD14F6 mov eax, dword ptr fs:[00000030h] 4_2_35AD14F6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD14F6 mov eax, dword ptr fs:[00000030h] 4_2_35AD14F6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD54DB mov eax, dword ptr fs:[00000030h] 4_2_35AD54DB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2340D mov eax, dword ptr fs:[00000030h] 4_2_35A2340D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A87410 mov eax, dword ptr fs:[00000030h] 4_2_35A87410
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h] 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h] 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h] 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h] 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01460 mov eax, dword ptr fs:[00000030h] 4_2_35A01460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F460 mov eax, dword ptr fs:[00000030h] 4_2_35A1F460
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD547F mov eax, dword ptr fs:[00000030h] 4_2_35AD547F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF453 mov eax, dword ptr fs:[00000030h] 4_2_35ABF453
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h] 4_2_35AAB450
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h] 4_2_35AAB450
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h] 4_2_35AAB450
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB450 mov eax, dword ptr fs:[00000030h] 4_2_35AAB450
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A897A9 mov eax, dword ptr fs:[00000030h] 4_2_35A897A9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h] 4_2_35A8F7AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h] 4_2_35A8F7AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h] 4_2_35A8F7AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h] 4_2_35A8F7AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8F7AF mov eax, dword ptr fs:[00000030h] 4_2_35A8F7AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D7B0 mov eax, dword ptr fs:[00000030h] 4_2_35A2D7B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD37B6 mov eax, dword ptr fs:[00000030h] 4_2_35AD37B6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABD7B0 mov eax, dword ptr fs:[00000030h] 4_2_35ABD7B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABD7B0 mov eax, dword ptr fs:[00000030h] 4_2_35ABD7B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF78A mov eax, dword ptr fs:[00000030h] 4_2_35ABF78A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF7BA mov eax, dword ptr fs:[00000030h] 4_2_359FF7BA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0D7E0 mov ecx, dword ptr fs:[00000030h] 4_2_35A0D7E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h] 4_2_35A017EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h] 4_2_35A017EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A017EC mov eax, dword ptr fs:[00000030h] 4_2_35A017EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h] 4_2_35A057C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h] 4_2_35A057C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A057C0 mov eax, dword ptr fs:[00000030h] 4_2_35A057C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03720 mov eax, dword ptr fs:[00000030h] 4_2_35A03720
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h] 4_2_35A1F720
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h] 4_2_35A1F720
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1F720 mov eax, dword ptr fs:[00000030h] 4_2_35A1F720
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF72E mov eax, dword ptr fs:[00000030h] 4_2_35ABF72E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC972B mov eax, dword ptr fs:[00000030h] 4_2_35AC972B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h] 4_2_35ADB73C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h] 4_2_35ADB73C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h] 4_2_35ADB73C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADB73C mov eax, dword ptr fs:[00000030h] 4_2_35ADB73C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 mov ecx, dword ptr fs:[00000030h] 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h] 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h] 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h] 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B730 mov eax, dword ptr fs:[00000030h] 4_2_35A1B730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A35734 mov eax, dword ptr fs:[00000030h] 4_2_35A35734
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A05702 mov eax, dword ptr fs:[00000030h] 4_2_35A05702
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A05702 mov eax, dword ptr fs:[00000030h] 4_2_35A05702
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07703 mov eax, dword ptr fs:[00000030h] 4_2_35A07703
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9730 mov eax, dword ptr fs:[00000030h] 4_2_359F9730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9730 mov eax, dword ptr fs:[00000030h] 4_2_359F9730
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3F71F mov eax, dword ptr fs:[00000030h] 4_2_35A3F71F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3F71F mov eax, dword ptr fs:[00000030h] 4_2_35A3F71F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD3749 mov eax, dword ptr fs:[00000030h] 4_2_35AD3749
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h] 4_2_35AA375F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h] 4_2_35AA375F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h] 4_2_35AA375F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h] 4_2_35AA375F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA375F mov eax, dword ptr fs:[00000030h] 4_2_35AA375F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h] 4_2_359FB765
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h] 4_2_359FB765
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h] 4_2_359FB765
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB765 mov eax, dword ptr fs:[00000030h] 4_2_359FB765
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h] 4_2_359F76B2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h] 4_2_359F76B2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F76B2 mov eax, dword ptr fs:[00000030h] 4_2_359F76B2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD6AA mov eax, dword ptr fs:[00000030h] 4_2_359FD6AA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD6AA mov eax, dword ptr fs:[00000030h] 4_2_359FD6AA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D6E0 mov eax, dword ptr fs:[00000030h] 4_2_35A2D6E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D6E0 mov eax, dword ptr fs:[00000030h] 4_2_35A2D6E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABD6F0 mov eax, dword ptr fs:[00000030h] 4_2_35ABD6F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A0B6C0 mov eax, dword ptr fs:[00000030h] 4_2_35A0B6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h] 4_2_35AC16CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h] 4_2_35AC16CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h] 4_2_35AC16CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC16CC mov eax, dword ptr fs:[00000030h] 4_2_35AC16CC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF6C7 mov eax, dword ptr fs:[00000030h] 4_2_35ABF6C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A316CF mov eax, dword ptr fs:[00000030h] 4_2_35A316CF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5636 mov eax, dword ptr fs:[00000030h] 4_2_35AD5636
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3F603 mov eax, dword ptr fs:[00000030h] 4_2_35A3F603
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A31607 mov eax, dword ptr fs:[00000030h] 4_2_35A31607
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03616 mov eax, dword ptr fs:[00000030h] 4_2_35A03616
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03616 mov eax, dword ptr fs:[00000030h] 4_2_35A03616
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF626 mov eax, dword ptr fs:[00000030h] 4_2_359FF626
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A39660 mov eax, dword ptr fs:[00000030h] 4_2_35A39660
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A39660 mov eax, dword ptr fs:[00000030h] 4_2_35A39660
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A9D660 mov eax, dword ptr fs:[00000030h] 4_2_35A9D660
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h] 4_2_35AB11A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h] 4_2_35AB11A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h] 4_2_35AB11A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB11A4 mov eax, dword ptr fs:[00000030h] 4_2_35AB11A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1B1B0 mov eax, dword ptr fs:[00000030h] 4_2_35A1B1B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB5180 mov eax, dword ptr fs:[00000030h] 4_2_35AB5180
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB5180 mov eax, dword ptr fs:[00000030h] 4_2_35AB5180
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A57190 mov eax, dword ptr fs:[00000030h] 4_2_35A57190
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD31E1 mov eax, dword ptr fs:[00000030h] 4_2_35AD31E1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A251EF mov eax, dword ptr fs:[00000030h] 4_2_35A251EF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A051ED mov eax, dword ptr fs:[00000030h] 4_2_35A051ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA71F9 mov esi, dword ptr fs:[00000030h] 4_2_35AA71F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD51CB mov eax, dword ptr fs:[00000030h] 4_2_35AD51CB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3D1D0 mov eax, dword ptr fs:[00000030h] 4_2_35A3D1D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3D1D0 mov ecx, dword ptr fs:[00000030h] 4_2_35A3D1D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD7120 mov eax, dword ptr fs:[00000030h] 4_2_35AD7120
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01131 mov eax, dword ptr fs:[00000030h] 4_2_35A01131
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01131 mov eax, dword ptr fs:[00000030h] 4_2_35A01131
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h] 4_2_359FB136
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h] 4_2_359FB136
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h] 4_2_359FB136
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB136 mov eax, dword ptr fs:[00000030h] 4_2_359FB136
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A99179 mov eax, dword ptr fs:[00000030h] 4_2_35A99179
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h] 4_2_359F9148
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h] 4_2_359F9148
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h] 4_2_359F9148
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9148 mov eax, dword ptr fs:[00000030h] 4_2_359F9148
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h] 4_2_35A93140
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h] 4_2_35A93140
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A93140 mov eax, dword ptr fs:[00000030h] 4_2_35A93140
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FF172 mov eax, dword ptr fs:[00000030h] 4_2_359FF172
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07152 mov eax, dword ptr fs:[00000030h] 4_2_35A07152
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5152 mov eax, dword ptr fs:[00000030h] 4_2_35AD5152
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD08D mov eax, dword ptr fs:[00000030h] 4_2_359FD08D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8D080 mov eax, dword ptr fs:[00000030h] 4_2_35A8D080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8D080 mov eax, dword ptr fs:[00000030h] 4_2_35A8D080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D090 mov eax, dword ptr fs:[00000030h] 4_2_35A2D090
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2D090 mov eax, dword ptr fs:[00000030h] 4_2_35A2D090
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A05096 mov eax, dword ptr fs:[00000030h] 4_2_35A05096
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3909C mov eax, dword ptr fs:[00000030h] 4_2_35A3909C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A250E4 mov eax, dword ptr fs:[00000030h] 4_2_35A250E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A250E4 mov ecx, dword ptr fs:[00000030h] 4_2_35A250E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D0C0 mov eax, dword ptr fs:[00000030h] 4_2_35A7D0C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D0C0 mov eax, dword ptr fs:[00000030h] 4_2_35A7D0C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD50D9 mov eax, dword ptr fs:[00000030h] 4_2_35AD50D9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A290DB mov eax, dword ptr fs:[00000030h] 4_2_35A290DB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h] 4_2_35AC903E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h] 4_2_35AC903E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h] 4_2_35AC903E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC903E mov eax, dword ptr fs:[00000030h] 4_2_35AC903E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8106E mov eax, dword ptr fs:[00000030h] 4_2_35A8106E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5060 mov eax, dword ptr fs:[00000030h] 4_2_35AD5060
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov ecx, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11070 mov eax, dword ptr fs:[00000030h] 4_2_35A11070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7D070 mov ecx, dword ptr fs:[00000030h] 4_2_35A7D070
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2B052 mov eax, dword ptr fs:[00000030h] 4_2_35A2B052
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A333A0 mov eax, dword ptr fs:[00000030h] 4_2_35A333A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A333A0 mov eax, dword ptr fs:[00000030h] 4_2_35A333A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A233A5 mov eax, dword ptr fs:[00000030h] 4_2_35A233A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h] 4_2_35AA13B9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h] 4_2_35AA13B9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA13B9 mov eax, dword ptr fs:[00000030h] 4_2_35AA13B9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD539D mov eax, dword ptr fs:[00000030h] 4_2_35AD539D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A5739A mov eax, dword ptr fs:[00000030h] 4_2_35A5739A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A5739A mov eax, dword ptr fs:[00000030h] 4_2_35A5739A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF3E6 mov eax, dword ptr fs:[00000030h] 4_2_35ABF3E6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD53FC mov eax, dword ptr fs:[00000030h] 4_2_35AD53FC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABB3D0 mov ecx, dword ptr fs:[00000030h] 4_2_35ABB3D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC132D mov eax, dword ptr fs:[00000030h] 4_2_35AC132D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC132D mov eax, dword ptr fs:[00000030h] 4_2_35AC132D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F32A mov eax, dword ptr fs:[00000030h] 4_2_35A2F32A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h] 4_2_35A8930B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h] 4_2_35A8930B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8930B mov eax, dword ptr fs:[00000030h] 4_2_35A8930B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7330 mov eax, dword ptr fs:[00000030h] 4_2_359F7330
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9353 mov eax, dword ptr fs:[00000030h] 4_2_359F9353
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9353 mov eax, dword ptr fs:[00000030h] 4_2_359F9353
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF367 mov eax, dword ptr fs:[00000030h] 4_2_35ABF367
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h] 4_2_35A07370
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h] 4_2_35A07370
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07370 mov eax, dword ptr fs:[00000030h] 4_2_35A07370
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD34C mov eax, dword ptr fs:[00000030h] 4_2_359FD34C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FD34C mov eax, dword ptr fs:[00000030h] 4_2_359FD34C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA3370 mov eax, dword ptr fs:[00000030h] 4_2_35AA3370
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5341 mov eax, dword ptr fs:[00000030h] 4_2_35AD5341
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h] 4_2_35A152A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h] 4_2_35A152A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h] 4_2_35A152A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A152A0 mov eax, dword ptr fs:[00000030h] 4_2_35A152A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A972A0 mov eax, dword ptr fs:[00000030h] 4_2_35A972A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A972A0 mov eax, dword ptr fs:[00000030h] 4_2_35A972A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h] 4_2_35AC92A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h] 4_2_35AC92A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h] 4_2_35AC92A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC92A6 mov eax, dword ptr fs:[00000030h] 4_2_35AC92A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A892BC mov eax, dword ptr fs:[00000030h] 4_2_35A892BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A892BC mov eax, dword ptr fs:[00000030h] 4_2_35A892BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A892BC mov ecx, dword ptr fs:[00000030h] 4_2_35A892BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A892BC mov ecx, dword ptr fs:[00000030h] 4_2_35A892BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5283 mov eax, dword ptr fs:[00000030h] 4_2_35AD5283
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3329E mov eax, dword ptr fs:[00000030h] 4_2_35A3329E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3329E mov eax, dword ptr fs:[00000030h] 4_2_35A3329E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB12ED mov eax, dword ptr fs:[00000030h] 4_2_35AB12ED
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h] 4_2_359FB2D3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h] 4_2_359FB2D3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FB2D3 mov eax, dword ptr fs:[00000030h] 4_2_359FB2D3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD52E2 mov eax, dword ptr fs:[00000030h] 4_2_35AD52E2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABF2F8 mov eax, dword ptr fs:[00000030h] 4_2_35ABF2F8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB2F0 mov eax, dword ptr fs:[00000030h] 4_2_35AAB2F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAB2F0 mov eax, dword ptr fs:[00000030h] 4_2_35AAB2F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F92FF mov eax, dword ptr fs:[00000030h] 4_2_359F92FF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A092C5 mov eax, dword ptr fs:[00000030h] 4_2_35A092C5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A092C5 mov eax, dword ptr fs:[00000030h] 4_2_35A092C5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F2D0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F2D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2F2D0 mov eax, dword ptr fs:[00000030h] 4_2_35A2F2D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5227 mov eax, dword ptr fs:[00000030h] 4_2_35AD5227
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A37208 mov eax, dword ptr fs:[00000030h] 4_2_35A37208
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A37208 mov eax, dword ptr fs:[00000030h] 4_2_35A37208
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACD26B mov eax, dword ptr fs:[00000030h] 4_2_35ACD26B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACD26B mov eax, dword ptr fs:[00000030h] 4_2_35ACD26B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A41270 mov eax, dword ptr fs:[00000030h] 4_2_35A41270
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A41270 mov eax, dword ptr fs:[00000030h] 4_2_35A41270
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A29274 mov eax, dword ptr fs:[00000030h] 4_2_35A29274
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9240 mov eax, dword ptr fs:[00000030h] 4_2_359F9240
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9240 mov eax, dword ptr fs:[00000030h] 4_2_359F9240
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3724D mov eax, dword ptr fs:[00000030h] 4_2_35A3724D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABB256 mov eax, dword ptr fs:[00000030h] 4_2_35ABB256
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABB256 mov eax, dword ptr fs:[00000030h] 4_2_35ABB256
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9D96 mov eax, dword ptr fs:[00000030h] 4_2_359F9D96
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9D96 mov eax, dword ptr fs:[00000030h] 4_2_359F9D96
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F9D96 mov ecx, dword ptr fs:[00000030h] 4_2_359F9D96
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h] 4_2_35A95DA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h] 4_2_35A95DA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A95DA0 mov eax, dword ptr fs:[00000030h] 4_2_35A95DA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A95DA0 mov ecx, dword ptr fs:[00000030h] 4_2_35A95DA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A39DAF mov eax, dword ptr fs:[00000030h] 4_2_35A39DAF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h] 4_2_35A1DDB1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h] 4_2_35A1DDB1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A1DDB1 mov eax, dword ptr fs:[00000030h] 4_2_35A1DDB1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8DDB1 mov eax, dword ptr fs:[00000030h] 4_2_35A8DDB1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FFD80 mov eax, dword ptr fs:[00000030h] 4_2_359FFD80
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8DDC0 mov eax, dword ptr fs:[00000030h] 4_2_35A8DDC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACDDC6 mov eax, dword ptr fs:[00000030h] 4_2_35ACDDC6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABDDC7 mov eax, dword ptr fs:[00000030h] 4_2_35ABDDC7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03DD0 mov eax, dword ptr fs:[00000030h] 4_2_35A03DD0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03DD0 mov eax, dword ptr fs:[00000030h] 4_2_35A03DD0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A13D20 mov eax, dword ptr fs:[00000030h] 4_2_35A13D20
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8FD2A mov eax, dword ptr fs:[00000030h] 4_2_35A8FD2A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8FD2A mov eax, dword ptr fs:[00000030h] 4_2_35A8FD2A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A13D00 mov eax, dword ptr fs:[00000030h] 4_2_35A13D00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07D75 mov eax, dword ptr fs:[00000030h] 4_2_35A07D75
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A07D75 mov eax, dword ptr fs:[00000030h] 4_2_35A07D75
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB9D70 mov eax, dword ptr fs:[00000030h] 4_2_35AB9D70
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AB9D70 mov eax, dword ptr fs:[00000030h] 4_2_35AB9D70
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7D41 mov eax, dword ptr fs:[00000030h] 4_2_359F7D41
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BD4E mov eax, dword ptr fs:[00000030h] 4_2_35A3BD4E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BD4E mov eax, dword ptr fs:[00000030h] 4_2_35A3BD4E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8DD47 mov eax, dword ptr fs:[00000030h] 4_2_35A8DD47
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h] 4_2_35AC1D5A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h] 4_2_35AC1D5A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h] 4_2_35AC1D5A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AC1D5A mov eax, dword ptr fs:[00000030h] 4_2_35AC1D5A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5D50 mov eax, dword ptr fs:[00000030h] 4_2_35AD5D50
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD5D50 mov eax, dword ptr fs:[00000030h] 4_2_35AD5D50
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFCAB mov eax, dword ptr fs:[00000030h] 4_2_35ABFCAB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2FCA0 mov ecx, dword ptr fs:[00000030h] 4_2_35A2FCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A2FCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A2FCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A2FCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2FCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A2FCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A3BCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A3BCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BCA0 mov ecx, dword ptr fs:[00000030h] 4_2_35A3BCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BCA0 mov eax, dword ptr fs:[00000030h] 4_2_35A3BCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h] 4_2_35A03C84
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h] 4_2_35A03C84
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h] 4_2_35A03C84
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03C84 mov eax, dword ptr fs:[00000030h] 4_2_35A03C84
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FDCA0 mov eax, dword ptr fs:[00000030h] 4_2_359FDCA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h] 4_2_35AA1CF9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h] 4_2_35AA1CF9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA1CF9 mov eax, dword ptr fs:[00000030h] 4_2_35AA1CF9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A35CC0 mov eax, dword ptr fs:[00000030h] 4_2_35A35CC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A35CC0 mov eax, dword ptr fs:[00000030h] 4_2_35A35CC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11CC7 mov eax, dword ptr fs:[00000030h] 4_2_35A11CC7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11CC7 mov eax, dword ptr fs:[00000030h] 4_2_35A11CC7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h] 4_2_35A83CDB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h] 4_2_35A83CDB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A83CDB mov eax, dword ptr fs:[00000030h] 4_2_35A83CDB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h] 4_2_35AAFCDF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h] 4_2_35AAFCDF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AAFCDF mov eax, dword ptr fs:[00000030h] 4_2_35AAFCDF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h] 4_2_35ACDC27
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h] 4_2_35ACDC27
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ACDC27 mov eax, dword ptr fs:[00000030h] 4_2_35ACDC27
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD1C3C mov eax, dword ptr fs:[00000030h] 4_2_35AD1C3C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BC3B mov esi, dword ptr fs:[00000030h] 4_2_35A3BC3B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADBC01 mov eax, dword ptr fs:[00000030h] 4_2_35ADBC01
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ADBC01 mov eax, dword ptr fs:[00000030h] 4_2_35ADBC01
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8BC10 mov eax, dword ptr fs:[00000030h] 4_2_35A8BC10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8BC10 mov eax, dword ptr fs:[00000030h] 4_2_35A8BC10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8BC10 mov ecx, dword ptr fs:[00000030h] 4_2_35A8BC10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11C60 mov eax, dword ptr fs:[00000030h] 4_2_35A11C60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h] 4_2_359F7C40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7C40 mov ecx, dword ptr fs:[00000030h] 4_2_359F7C40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h] 4_2_359F7C40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359F7C40 mov eax, dword ptr fs:[00000030h] 4_2_359F7C40
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A31C7C mov eax, dword ptr fs:[00000030h] 4_2_35A31C7C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABFC4F mov eax, dword ptr fs:[00000030h] 4_2_35ABFC4F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FFF90 mov edi, dword ptr fs:[00000030h] 4_2_359FFF90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BFB0 mov eax, dword ptr fs:[00000030h] 4_2_35A3BFB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A41FB8 mov eax, dword ptr fs:[00000030h] 4_2_35A41FB8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov ecx, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A11F92 mov eax, dword ptr fs:[00000030h] 4_2_35A11F92
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA3F90 mov eax, dword ptr fs:[00000030h] 4_2_35AA3F90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA3F90 mov eax, dword ptr fs:[00000030h] 4_2_35AA3F90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_359FBFD0 mov eax, dword ptr fs:[00000030h] 4_2_359FBFD0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h] 4_2_35A3BFEC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h] 4_2_35A3BFEC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A3BFEC mov eax, dword ptr fs:[00000030h] 4_2_35A3BFEC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A03FC0 mov eax, dword ptr fs:[00000030h] 4_2_35A03FC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABBFC0 mov ecx, dword ptr fs:[00000030h] 4_2_35ABBFC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABBFC0 mov eax, dword ptr fs:[00000030h] 4_2_35ABBFC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AD3FC0 mov eax, dword ptr fs:[00000030h] 4_2_35AD3FC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h] 4_2_35A31FCD
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h] 4_2_35A31FCD
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A31FCD mov eax, dword ptr fs:[00000030h] 4_2_35A31FCD
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A83FD7 mov eax, dword ptr fs:[00000030h] 4_2_35A83FD7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35ABDF2F mov eax, dword ptr fs:[00000030h] 4_2_35ABDF2F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35AA7F3E mov eax, dword ptr fs:[00000030h] 4_2_35AA7F3E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A8DF10 mov eax, dword ptr fs:[00000030h] 4_2_35A8DF10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A81F13 mov eax, dword ptr fs:[00000030h] 4_2_35A81F13
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A2BF60 mov eax, dword ptr fs:[00000030h] 4_2_35A2BF60
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A7FF42 mov eax, dword ptr fs:[00000030h] 4_2_35A7FF42
Source: C:\Users\user\Desktop\Quotation.exe Code function: 4_2_35A01F50 mov eax, dword ptr fs:[00000030h] 4_2_35A01F50
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx, 0_2_004036DA

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2282815600.0000000035660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546656 Sample: Quotation.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 88 16 50.23.12.20.in-addr.arpa 2->16 18 18.31.95.13.in-addr.arpa 2->18 20 2 other IPs or domains 2->20 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected FormBook 2->30 32 3 other signatures 2->32 7 Quotation.exe 1 29 2->7         started        signatures3 process4 file5 14 C:\Users\user\AppData\Local\...\System.dll, PE32 7->14 dropped 34 Tries to detect virtualization through RDTSC time measurements 7->34 36 Switches to a custom stack to bypass stack traces 7->36 11 Quotation.exe 6 7->11         started        signatures6 process7 dnsIp8 22 drive.usercontent.google.com 142.250.186.129, 443, 59646 GOOGLEUS United States 11->22 24 drive.google.com 142.250.186.174, 443, 59645 GOOGLEUS United States 11->24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.129
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.250.186.174
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.174 true
drive.usercontent.google.com 142.250.186.129 true
18.31.95.13.in-addr.arpa unknown unknown
50.23.12.20.in-addr.arpa unknown unknown