CAPE

Triggered CAPE Tasks: Task #87735: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-08-13 16:11:24 2019-08-13 16:15:11 227 seconds Show Options Show Log
route = internet
procdump = 1
2019-08-13 17:11:25,000 [root] INFO: Date set to: 08-13-19, time set to: 16:11:25, timeout set to: 200
2019-08-13 17:11:25,015 [root] DEBUG: Starting analyzer from: C:\yixlmbucpk
2019-08-13 17:11:25,015 [root] DEBUG: Storing results at: C:\OhKqjdchF
2019-08-13 17:11:25,015 [root] DEBUG: Pipe server name: \\.\PIPE\XFlSfJ
2019-08-13 17:11:25,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 17:11:25,015 [root] INFO: Automatically selected analysis package "exe"
2019-08-13 17:11:25,483 [root] DEBUG: Started auxiliary module Browser
2019-08-13 17:11:25,483 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 17:11:25,483 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 17:11:26,200 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-08-13 17:11:26,200 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 17:11:26,200 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 17:11:26,216 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 17:11:26,216 [root] DEBUG: Started auxiliary module Human
2019-08-13 17:11:26,216 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 17:11:26,216 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 17:11:26,216 [root] DEBUG: Started auxiliary module Usage
2019-08-13 17:11:26,216 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-08-13 17:11:26,216 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-08-13 17:11:26,232 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\Quotation.exe" with arguments "" with pid 1860
2019-08-13 17:11:26,232 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 17:11:26,232 [lib.api.process] INFO: 32-bit DLL to inject is C:\yixlmbucpk\dll\JsbXWh.dll, loader C:\yixlmbucpk\bin\OPIiRfx.exe
2019-08-13 17:11:26,263 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XFlSfJ.
2019-08-13 17:11:26,263 [root] DEBUG: Loader: Injecting process 1860 (thread 1460) with C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:26,263 [root] DEBUG: Process image base: 0x00400000
2019-08-13 17:11:26,263 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:26,263 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00465000 - 0x77110000
2019-08-13 17:11:26,263 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00470000.
2019-08-13 17:11:26,263 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 17:11:26,263 [root] DEBUG: Successfully injected DLL C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:26,263 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1860
2019-08-13 17:11:28,276 [lib.api.process] INFO: Successfully resumed process with pid 1860
2019-08-13 17:11:28,276 [root] INFO: Added new process to list with pid: 1860
2019-08-13 17:11:28,368 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 17:11:28,368 [root] DEBUG: Process dumps enabled.
2019-08-13 17:11:28,431 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 17:11:28,431 [root] INFO: Disabling sleep skipping.
2019-08-13 17:11:28,431 [root] INFO: Disabling sleep skipping.
2019-08-13 17:11:28,431 [root] INFO: Disabling sleep skipping.
2019-08-13 17:11:28,431 [root] INFO: Disabling sleep skipping.
2019-08-13 17:11:28,431 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1860 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-08-13 17:11:28,431 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\Quotation.exe".
2019-08-13 17:11:28,431 [root] INFO: Monitor successfully loaded in process with pid 1860.
2019-08-13 17:11:28,463 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-08-13 17:11:28,572 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-08-13 17:11:28,572 [root] DEBUG: DLL unloaded from 0x00400000.
2019-08-13 17:11:28,704 [root] DEBUG: set_caller_info: Adding region at 0x01EA0000 to caller regions list (kernel32::SetErrorMode).
2019-08-13 17:11:28,734 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\IPHlpApi (0x1c000 bytes).
2019-08-13 17:11:28,744 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-08-13 17:11:28,744 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-08-13 17:11:28,744 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-08-13 17:11:28,744 [root] DEBUG: DLL loaded at 0x74520000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-08-13 17:11:28,755 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-08-13 17:11:28,765 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 17:11:28,786 [root] INFO: Announced 32-bit process name: Quotation.exe pid: 2040
2019-08-13 17:11:28,786 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 17:11:28,786 [lib.api.process] INFO: 32-bit DLL to inject is C:\yixlmbucpk\dll\JsbXWh.dll, loader C:\yixlmbucpk\bin\OPIiRfx.exe
2019-08-13 17:11:28,802 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\XFlSfJ.
2019-08-13 17:11:28,802 [root] DEBUG: Loader: Injecting process 2040 (thread 1756) with C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:28,802 [root] DEBUG: Process image base: 0x00400000
2019-08-13 17:11:28,802 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:28,802 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00465000 - 0x77110000
2019-08-13 17:11:28,802 [root] DEBUG: InjectDllViaIAT: Allocated 0x164 bytes for new import table at 0x00470000.
2019-08-13 17:11:28,802 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 17:11:28,802 [root] DEBUG: Successfully injected DLL C:\yixlmbucpk\dll\JsbXWh.dll.
2019-08-13 17:11:28,802 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2040
2019-08-13 17:11:28,931 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 17:11:28,931 [root] DEBUG: Process dumps enabled.
2019-08-13 17:11:28,941 [root] INFO: Disabling sleep skipping.
2019-08-13 17:11:28,961 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 17:11:28,961 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2040 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-08-13 17:11:28,961 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\Quotation.exe".
2019-08-13 17:11:28,961 [root] INFO: Added new process to list with pid: 2040
2019-08-13 17:11:28,961 [root] INFO: Monitor successfully loaded in process with pid 2040.
2019-08-13 17:11:28,983 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-08-13 17:11:29,003 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-08-13 17:11:29,003 [root] DEBUG: DLL unloaded from 0x00400000.
2019-08-13 17:11:29,061 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 17:11:29,161 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (kernel32::SetErrorMode).
2019-08-13 17:14:50,055 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 17:14:50,055 [root] INFO: Created shutdown mutex.
2019-08-13 17:14:51,069 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1860
2019-08-13 17:14:51,069 [root] INFO: Terminate event set for process 1860.
2019-08-13 17:14:51,069 [root] INFO: Terminating process 1860 before shutdown.
2019-08-13 17:14:51,069 [root] INFO: Waiting for process 1860 to exit.
2019-08-13 17:14:52,082 [root] INFO: Waiting for process 1860 to exit.
2019-08-13 17:14:53,128 [root] INFO: Waiting for process 1860 to exit.
2019-08-13 17:14:53,938 [root] DEBUG: Terminate Event: Attempting to dump process 1860
2019-08-13 17:14:53,938 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-08-13 17:14:53,938 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-08-13 17:14:53,938 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000161C.
2019-08-13 17:14:53,954 [root] INFO: Added new CAPE file to list with path: C:\OhKqjdchF\CAPE\1860_172740781853141613282019
2019-08-13 17:14:53,954 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x62c00.
2019-08-13 17:14:54,141 [root] INFO: Terminating process 2040 before shutdown.
2019-08-13 17:14:54,141 [root] INFO: Shutting down package.
2019-08-13 17:14:54,141 [root] INFO: Stopping auxiliary modules.
2019-08-13 17:14:54,141 [root] INFO: Finishing auxiliary modules.
2019-08-13 17:14:54,141 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 17:14:54,141 [root] WARNING: File at path "C:\OhKqjdchF\debugger" does not exist, skip.
2019-08-13 17:14:54,141 [root] INFO: Analysis completed.

MalScore

4.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 16:11:24 2019-08-13 16:15:08

File Details

File Name Quotation.exe
File Size 405504 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 16c39d94f3ef2c7c1027d6ceea545ce5
SHA1 e5766eba0d5c6e36d2591a9637479d0133ef5199
SHA256 94b56c40c868fdc000d94bf6c275298ab80562cdf443fac66a4aec042089eb28
SHA512 2d693baf68f245ff4798515c012bcf09d77e317052870e231720ec0ab8b0ba3dc0a48a8223e018416bedcdd573c3702ed43cab467a56d5fd2323b869723e3b82
CRC32 74A09046
Ssdeep 6144:Bbrarc3ElhnldCOPs/qg1PAZvzfZEp2o4N1:Bbr0kEhdTk/nAZbwd4v
TrID
  • 62.9% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
  • 23.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.4% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 1.5% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/EnumFontFamiliesW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/GetLongPathNameA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: IPHlpApi.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: shell32.DLL/ShellExecuteA
DynamicLoader: shell32.DLL/SHCreateDirectoryExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: kernel32.dll/WaitForDebugEvent
DynamicLoader: kernel32.dll/ContinueDebugEvent
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: GDI32.dll/EnumFontFamiliesW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteProfileStringA
Installs itself for autorun at Windows startup
file: C:\Windows\win.ini
file: C:\Windows\win.ini

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\Quotation.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Users\user\AppData\Local\Temp\IPHlpApi.DLL
C:\Windows\System32\IPHLPAPI.DLL
C:\Users\user\AppData\Local\Temp\WINNSI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\win.ini
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Windows\win.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe1\xa9\x98\xc8\xaaEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Quotation.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVBVM60.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe1\xa9\x98\xc8\xaaEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.EnumFontFamiliesW
kernel32.dll.Sleep
kernel32.dll.WriteProfileStringA
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualProtectEx
kernel32.dll.GetLongPathNameA
kernel32.dll.TerminateProcess
iphlpapi.dll.GetAdaptersInfo
kernel32.dll.VirtualAllocEx
kernel32.dll.CreateProcessW
shell32.dll.ShellExecuteA
shell32.dll.SHCreateDirectoryExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegSetValueExA
kernel32.dll.WaitForDebugEvent
kernel32.dll.ContinueDebugEvent
kernel32.dll.DebugActiveProcessStop
kernel32.dll.OutputDebugStringW
ole32.dll.CoCreateInstance
"C:\Users\user\AppData\Local\Temp\Quotation.exe"
Local\MSCTF.Asm.MutexDefault1

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040161c
Reported Checksum 0x00071a4e
Actual Checksum 0x00071a4e
Minimum OS Version 4.0
Compile Time 2019-08-12 05:50:42
Import Hash 86df777628819a17f9efc28098861081

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0005f308 0x00060000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.93
.data 0x00061000 0x000029bc 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00064000 0x000009c8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.21

Imports

Library MSVBVM60.DLL:
0x401000 __vbaR8FixI4
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 None
0x401018 __vbaFreeVar
0x40101c None
0x401020 __vbaLenBstr
0x401024 None
0x401028 __vbaFreeVarList
0x40102c _adj_fdiv_m64
0x401030 None
0x401034 __vbaFreeObjList
0x401038 __vbaR8Sgn
0x40103c _adj_fprem1
0x401040 __vbaStrCat
0x401044 __vbaSetSystemError
0x401048 None
0x401050 None
0x401054 None
0x401058 _adj_fdiv_m32
0x40105c None
0x401060 __vbaAryVar
0x401064 __vbaAryDestruct
0x401068 None
0x40106c __vbaLateMemSt
0x401070 __vbaExitProc
0x401074 __vbaObjSet
0x401078 __vbaOnError
0x40107c None
0x401080 _adj_fdiv_m16i
0x401084 __vbaObjSetAddref
0x401088 _adj_fdivr_m16i
0x40108c None
0x401090 None
0x401094 None
0x401098 __vbaFpR8
0x40109c None
0x4010a0 _CIsin
0x4010a4 None
0x4010a8 __vbaChkstk
0x4010ac __vbaGosubFree
0x4010b0 None
0x4010b4 EVENT_SINK_AddRef
0x4010bc __vbaStrCmp
0x4010c0 __vbaAryConstruct2
0x4010c4 __vbaVarTstEq
0x4010c8 __vbaObjVar
0x4010cc DllFunctionCall
0x4010d0 __vbaVarLateMemSt
0x4010d4 None
0x4010d8 None
0x4010dc _adj_fpatan
0x4010e0 __vbaLateIdCallLd
0x4010e4 None
0x4010e8 None
0x4010ec EVENT_SINK_Release
0x4010f0 None
0x4010f4 __vbaUI1I2
0x4010f8 _CIsqrt
0x401100 __vbaExceptHandler
0x401104 _adj_fprem
0x401108 _adj_fdivr_m64
0x40110c __vbaGosub
0x401110 None
0x401114 __vbaFPException
0x401118 __vbaStrVarVal
0x40111c None
0x401120 __vbaDateVar
0x401124 _CIlog
0x401128 __vbaErrorOverflow
0x40112c None
0x401130 __vbaNew2
0x401134 _adj_fdiv_m32i
0x401138 _adj_fdivr_m32i
0x40113c None
0x401140 __vbaVarSetObj
0x401144 __vbaI4Str
0x401148 __vbaFreeStrList
0x40114c _adj_fdivr_m32
0x401150 _adj_fdiv_r
0x401154 None
0x401158 __vbaVarTstNe
0x40115c None
0x401160 __vbaI4Var
0x401164 None
0x401168 __vbaVarAdd
0x40116c __vbaLateMemCall
0x401170 __vbaVarDup
0x401174 None
0x401178 __vbaFpI4
0x40117c None
0x401180 __vbaLateMemCallLd
0x401184 _CIatan
0x401188 __vbaAryCopy
0x40118c __vbaStrMove
0x401190 _allmul
0x401194 _CItan
0x401198 _CIexp
0x40119c __vbaFreeStr
0x4011a0 __vbaFreeObj
0x4011a4 None

.text
`.data
.rsrc
MSVBVM60.DLL
projectO
Tommeltottens
Skolemads4
Skolemads4
svikler
PLIFfjeB02.:&"
RKkucC;4/
VB5!6&*
unaccording
Frederiksborger
projectO
] 4+9?
projectO
Tommeltottens
Snackbarens
Dekagrammenes
morbidly
Luteolous5
Gangflower
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
svikler
__vbaAryConstruct2
__vbaFreeVar
__vbaHresultCheckObj
__vbaNew2
__vbaFreeStr
__vbaStrVarVal
__vbaVarDup
__vbaStrMove
__vbaFreeObj
__vbaVarSetObj
__vbaObjVar
__vbaLateMemCallLd
__vbaObjSetAddref
__vbaLateMemSt
__vbaVarAdd
__vbaLateMemCall
__vbaVarTstEq
__vbaFreeStrList
__vbaI4Str
__vbaStrCmp
__vbaLenBstr
__vbaAryVar
__vbaAryDestruct
VBA6.DLL
__vbaOnError
GetClipCursor
waveOutGetErrorTextA
SetBrushOrgEx
GetMessageA
GetLocaleInfoA
AddFormA
CallNamedPipeA
comdlg32.dll
GetOpenFileNameA
StretchDIBits
waveOutGetPitch
GetFontDataA
SetConsoleTextAttribute
AddPrinterDriverA
RedrawWindow
AbortDoc
IsBadReadPtr
IsValidSid
GetCurrentProcess
__vbaGenerateBoundsError
__vbaAryCopy
SetEndOfFile
GdiGetBatchLimit
RemoveMenu
GetAtomNameA
GetPrinterDriverDirectoryA
winspool.drv
EnumMonitorsA
CreateDIBPatternBrushPt
gdi32
SetArcDirection
__vbaFreeObjList
LookupPrivilegeDisplayNameA
SetActiveWindow
SetLastError
UnloadKeyboardLayout
ShowScrollBar
WriteConsoleOutputCharacterA
user32
SetEvent
midiOutPrepareHeader
RegGetKeySecurity
winmm.dll
ADVAPI32.DLL
kernel32
OwzP1ZanGm9hxia
GDI32
EnumFontFamiliesW
GetThreadContext
__vbaFpR8
__vbaVarLateMemSt
__vbaFreeVarList
__vbaStrCat
__vbaVarTstNe
__vbaErrorOverflow
__vbaGosubFree
__vbaExitProc
__vbaSetSystemError
__vbaFpI4
__vbaObjSet
__vbaLateIdCallLd
__vbaI4Var
__vbaR8Sgn
__vbaUI1I2
__vbaVarMove
__vbaDateVar
__vbaR8FixI4
__vbaGosub
Dekagrammenes
ANGLE
ANGLE
morbidly
epeeists
epeeists
Luteolous5
Sprjtemales6
Sprjtemales6
Snackbarens
v,RT
=kWfyk
j{/lP
AH+37
Ni(#2GbL
#q<=
{kj[_
**Jy'
=F:JwKQu
d;pC19
hE~Ws
oqv n=
LjrP2,
<tqr\
~5?`S
35UmI
{`2&N
PhtD@
Ph@F@
PhhR@
Ph,S@
PhTX@
PhH]@
Ph(_@
PhLj@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
<h|O@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
Ph,S@
h|O@
Ph,S@
Ph,S@
Ph8!A
MSVBVM60.DLL
__vbaR8FixI4
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
__vbaR8Sgn
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
__vbaLateMemSt
__vbaExitProc
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
__vbaGosubFree
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaAryConstruct2
__vbaVarTstEq
__vbaObjVar
DllFunctionCall
__vbaVarLateMemSt
_adj_fpatan
__vbaLateIdCallLd
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaGosub
__vbaFPException
__vbaStrVarVal
__vbaDateVar
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaVarSetObj
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaVarAdd
__vbaLateMemCall
__vbaVarDup
__vbaFpI4
__vbaLateMemCallLd
_CIatan
__vbaAryCopy
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
ased.dat
Appearance
qjdxcxtedwcupqtmvgekrezibzjgiiyymoqzazezoajxjyaaelxnndzayjbwtihvvjodvojqqorgtqjqmbnfxpnhimsqxhzammwiwuxqbezsaxgumubjdv14
dntwkrwmeunosuqytnkgjidvnidamlchqffcvdgrhdfgpnriepgkqkhvyxuzcxnpwysmytojemgbiwcuqtcwe112
rtoshvutdnipmajgqozzzzkqmqpxdgzgeojpvojtcquvcknubfkpmopiocdoqonfleykvgjsmwepidwarmcpbdaqwapryuobiihboahazwlumkx97
shgkzpmkxbjexoyqezzyklspxldzwmmuesvbtzdgidirzoacnvxrnwvaebcswzuvlwmvlygvslwwhggngrcxkjyvnrhaiedyrhonrnt177
lyakulzdxqbfcfnvowhdwunxfszyjabzpkyqzexcyubcxjdjkwuhkcumqhtbnuczdwbnnffdaaynhbnaeideakikc63
jvralxpujnbahcjbmbigcxyzicxuxobwpcasejkcntyjccdtmpudhniajjvsdzptenarivlxnwnzkwtbzzfniynavpepsncekifiqxtb189
yibbrpcvbnngdpjkovknvoyztaatonbbqojeengsmdawaypchcgdlgkzlaxgiincyfqtoyaxeekzolpvfbgptzzylglfchsiawfonzjshedkmdfwmgt22
mscvbqreuebbkzbiezfpnwcksmuadqkglbgohuxmymsjrmmcuokijgiwbldiddoywizvbmshwvnlxifernpgwxvsllqnregjjne94
eblmljhayurdaiqmirioxszkepirutcwvhavespqjuujmohrjxoazdurgwhoxczpvsidialywtfxgcdolexl76
Visible
Circle
owmqdxffmzfcnevvwxuvnbeiequopppcbyovoxnortpocmstgweqexxzqiqgoijasweplvfyypbcsacjyijfropcuditlqrotxwjnjjiorddbmbodlybu78
bhjlcssbtodxbokjxioyljuncmmqqjinqldrdtfjhptvywvioybpevgqgjqppavybkoayrmrznyhodmuxsfjxrsaxawmythoaxtlvoalpatdfpxesjeevd241
nqbwxlysjliunxhwuyvrjjlkieecdhhkjjarqxwctrnjgjakcnwfonwlmdtpuejbyfwygvoiuclazalahosscuebbflejkscqyjrsogzy230
HscrollB
mnwkzerxhjyqluglgvuujmktneefgewcpbkgjmiceeaxhgsfirdhjaafgoczenltokusbdgtyrhuqozzoihohecoreszrlljzpycfqv159
rtpewkeavksfyagmvoelbtfqruyjdlbdskmarzklfbkiizgdxfrrkxinitikiaqdkgzjgoyeatfhhigcjzbjlfizpdrvpsheedsfmjytpgue242
aqmkdszsxnqesxjlvbqsxcwhpeibjyxpsatmntiksmqgcsxvquzbrpwpsvljedlqswwdjrholvueglyzjaaruinhxlzseczxfikvldwalspizunvgzfaa22
wenwgnieejgpylfddktlwryevpzyyzrlcxirbjanyuxrmiupbqeamrggkdliusvtpyieaanrmbitiqjiokeduyagofnaxvexythbdjdujoglmhgk215
olaxvvkdbofatslpqopibscbjqyyuilzhfpicmgjyizrywthrbdlktwgmhevhdyteyskqncyaomjeevwjywhuxmc204
nglgvehgmnotcnjcadsuabiggbpreqzmfskkewamgohzfselppugovzirtmabcdmwpjwsgagupjlygggzuwakvec104
Yty6MFpqjLn0kIBf69m8goEr6W3dX5OCVM7U192
mzevymginjvcdgfxsrwmwcnewwznxwwnlyqmaxzedokvkgcwejvrbhnjzppjjiaupqebrwjfgkhysixftwnzalzhbqokptllvizbiccn241
bmpvedsjfjhhatggvmztptnehucmovwrnlzzabvtbxmhhcofzvhqeaohbgryoqydjitdyzzfxrfywxtzzynblllfrhuaznbolwzheeseojmdyjgypns172
qfcktcjizrcxennygyokpwcyryclywgfaypyzwricxqssdyzibyxclcmgkarhsejxhnmkfqrlrvsviwsqwncsxuifzwi44
wbmwicochgwbbicjjbxzrogugkjspjyvcldfeuneigoyqzzfjfyjdqrnyofhrqqjtugofiffuhlmldnhasfgffyzt199
xbquwnlbfcgiriyfiwgxpckbsjcvcbrlkdspkbookqiexhejgrsrxmrfnfvtvskefmhdzquvmutfwgokwuqhvdhnaelljdzrbcgsuuqrcpl8
Width
wbmwicochgwbbicjjbxzrogugkjspjyvcldfeuneigoyqzzfjfyjdqrnyofhrqqjtugofiffuhlmldnhasfgffyzt173
abyrwflopagpaiwkvjpuhqcpfaweebavywpnetoxinrqbtdyjoteokfccftyuwuzhthjtrvcvaifvdvlgyowixiyebyxwnibyzgsbsxdzuk181
jdctvoqvxvroekrmxarijdhxoweeifmjjiustgdysrgokihwjaprtrvabvcchcvpwikghlglsdflbeeoastqqwotzthmcooygwoihldujzhjbi35
uejipppiyvjyqlrrjknjdwemuggwaonumzfzcrqhuzuekmlwswliyqgyhdndxyjgbkkukpnztdhivwkppbocloeczqfmumytuq55
eblmljhayurdaiqmirioxszkepirutcwvhavespqjuujmohrjxoazdurgwhoxczpvsidialywtfxgcdolexl233
ndksliwkihowrkeolvbvyskwwahxueittcjjdtnwulntoxcktfvqddcuzvlwqmaaymifhwhgqrnxaxuidpwxfdkddujtyplhjluttjd147
jaxknjqcwielgheykesbghqqnknqvaoalcwacqznhbrvmiwqxmbehtrregxbcpsymlfuhdxklatqspagbengxsgfqwdctgwevglez235
jawyyugwdluvugisfenpenvqigfevwncxgtogfyuerbigtdhbmudjjylkpsfkdqznjevxviyxesytlqeksolnrywxtaycjcbylaacevb167
kecvmqxyykophlgixhsygeshjknosezjfkmlibnnwoehklevriudlfowkvorrhqgxfhanwgahlyxcanhulyjsjjsaxwhlfdxmovsnlw192
bgjzncivarugpnndshjmjpznxieeqfhqcpafhierfeeishczsxuohlolltlsxoszcjnbnixflrxopzcs42
allyqswkinxajtkkwrpvrfixvvkiaedbeslovtukzosbaujbcjnilfoqmpamkpdhwqspdrjpfewfkuswdwdavncqksycoxqgq7
jtukqncycdlkmaajwmbexcfwkaidbuctlfnbinyvdazjtpgwosqwprmegclzwkhctdapruhnbmadyqifzwqmsfcqzrffvsrd160
GIPQS2tiBOtAbXFssKIhmafrMom0Cwhz129
xhxdcefwdrdznpnoqbbpxbtsiaipawilivvuyffiktgpsqkykqmvrlkhwjhvdgtgmnoeuqlhmrcgdiotjzvodaqjerohrshzfq89
pqbmayvprcvfexymperveqbvxnfbnbsmrooykhfzudxqayeanuvpjsxbbnbimxbtabttcyalvndtarkrjvyrvfrrjfwubdnxzvfwa67
ajfpinvshbjxkqxwivqoojsqujtvmzfsgmmwdeqypydibuzwqvzvzhkhoavlecaqntndejbpxbkkbfooejwqcjvc130
ccdrcsoqoknwtjhcukbhcfsglnxscrglcqvqzwzvotkqiefboisyauyqawvzidkluigsuklgcujihbegwtdrajmlltjppthjzxkuunkixfmxyfrapiiikb139
irggasjwrhuagyekukuqytilqlhrvnizvhkelbepykayrfubhpfhekmudmujbzpijwssewyuzkstqzfom120
tzdyndoalagnrgwvmgcpzmlvpxqadczqqzjrekaxarbtbgryhafhylyimgmuyigbtmfrkgaluabqncdkmwgkwulyfkgzusesjsihy250
aqmkdszsxnqesxjlvbqsxcwhpeibjyxpsatmntiksmqgcsxvquzbrpwpsvljedlqswwdjrholvueglyzjaaruinhxlzseczxfikvldwalspizunvgzfaa7
gepbxnbmpqebhkmglzadqcvmkubbcmxiizbcjcmuvhbpzqzcrzzhbmzhheabobmqiggfymqdgsaerbfdofpup140
IS3LoT7moKdmG7B6bSUCrO86NyFoxOKO1
entjvbmfmxdyhutsomfuiohwidvomhajcicqzsfzfsptjyyzioaisbppegpcllkqywrnokzxrpfjjrssygecuvhj78
muykwafbborrfbkbunmrsrvnqojrzkijpytedqjtjgsjaaizsmpqbbfsesoakrwphszyrnwrigbhkoraqqfhlrgdhjqxozqkkkuezmkvvvx44
efrjyfxbsskxnmodaunxzjwbfuqbsbpcdltsgoeiarxiqfifytoabakcgcdbfgzvfomixbjzhalwosarwxg66
ncobucdamssmtkoifheqxlisiiieytnmrxcpxudzpnttqnsfniemgbrjlvlwtvxhlfkblmhvgabmmacqoleljnqksc70
gviqwqgcgsrdmcoptnuxipklqhvzvjqonnaiogjbmlaktalvnsnosfbxastrmidaefzmdmveqtxhmvcyyiifldegapozogzrqrvdmpvxbka151
njqpdjhynabxbqwrozrbewynhnffsvxvdzicwmeyrevsdspqbcitatdroisbhogdfmoirnigcsughvkpyhckeymqqdklqgzlr30
tceyloicicpbojypgpyadoefdcghmssgqknebzofqeklxpmjzkkyhlnbyvsvbklmpqihfyixnuyxkpzkane241
ggvkesbercregnzvzvykuymtlhrpqrurhfzvbrpggxqhxqkidnntnkdqetgctnohsdlryuyeovmzaqjmnsveiuhhyjqixo115
elsksxstbdkskszgelvwearwyvfqmyxnaqwujvdpzxkuyvmhpnmgxideqzfkbmftatpqtuvzpvdykjyoohgobsrrwqxft16
qmdlmtezhccrasybkpvjunxskzrasupqxdsabdrpbdcdatcbauwdyuwoqhbaeykhslpugydqummurzvpignhchhglypxfrvkiojfvv130
pcsdxlmqaifnpjfnthfgomhkemtuwaqgtzcvbannpyhtmviqzbpcwsymueeeyehwbrgmrosblbbeaqshvhvrivdgpovbvbaoknjqbyuhly113
xyllpiljeptfsfmquaiqmhuurxlipwtcmxuxsmkcaatmzhueveeelonwqqqsqfinwpcsajmuerijnrkbygkxcazzrhgbzwhypm82
ndkgxtnepkfgfkhiguwjwypwrwzluagvfggxhimerayhijjbxeopfukofegazzxbzlghxosucumebtkgldxdvbculrhphrrenqkpvanvot178
xbquwnlbfcgiriyfiwgxpckbsjcvcbrlkdspkbookqiexhejgrsrxmrfnfvtvskefmhdzquvmutfwgokwuqhvdhnaelljdzrbcgsuuqrcpl166
rpiwlakvjdlvcwzlxrvgukyjgzrypxazrlilinfpppqpywjgtqpbdgttwwtqtqipdgsamqlfqwrbakiqamxlyyktvzicxpbdaxutjszhn64
mcfiiiqespvzpjlmhanlykkpfxhhginfxorncaluprebbbexzsugmykxqnqouydgntfscfcekhdmqqkdpbncfctge77
Rp2l4mNuzeedsE4HfOfrwM8C153
gticqzpsmhkmybdnofnvjuebqpedlhcrdpfeezxvfelenjvnkkbcchqvxbcfkrflegatntgdnpddnukemcgrzoazhixaorrooedojhmyocxenkstxwlkr181
rqormoueresinybyggnmzlighuqptzjlgulzpwxvtyqcreecbvsbyglaqvhgxknrmeysvfefvvjtkztdnu101
rpezwpovmhcpmvdpzxljwwucuazucfhjjttbdgegngwjroecwevtjltbhfcepontqoqlrhwqyjiiphhnelnkizb171
dppzqmzcsgtpcwckeamwmjazgelehbzlggphvorgpmotsluwgmeqkxmlhnzvsathigrqeldhdasfvxeoyjtdjostducxyqsu63
ojuadfurtybngqvhhtvnaqhunipxgipnxvubgieqqdalflblcowzvfkcjidrtdybtcoybojkhicgutbpcxorkvmwepeekyqqppxhqvqeezbpzmcyxetes50
gzkdjqkkvrkhugoqswuuomyvjqtrfelcavigggxcekyqvzzpcdzhzqjwgyeogxlkzkcbjmscwkvfjmibemfwky134
N2q7TBg9nDY69
mbkrrcwuwzyprivgbnqhxdilseipkxsyvjltxbbxktjadrtstwdcpwymcnpoxiamamingvctaqsbctslzxupjnznskqqidjbkdsbrrdwblprlwuzdkiw72
jdxliqqshrusfjngtmeogwsasgnyeievjvuphillruvoxofixwttuavzbntjvttmlmfmifcybbomruccgxoosisv236
FFErJ0e4Z5IH7TWnjW111
ixslertnmeexqfatbcxqhfkzxowexcfpfqjaqrmewatwtuivaroiapmsshkhekypbsenmtehcnqciixhbkbwldmayymcrfjp219
ojuadfurtybngqvhhtvnaqhunipxgipnxvubgieqqdalflblcowzvfkcjidrtdybtcoybojkhicgutbpcxorkvmwepeekyqqppxhqvqeezbpzmcyxetes42
irggasjwrhuagyekukuqytilqlhrvnizvhkelbepykayrfubhpfhekmudmujbzpijwssewyuzkstqzfom163
ckoxbzyxvpnbcsmuklpvlfwexmmoontwkttcjetjwchhwzcnhtunjhdwmzhffssglfrfdjvhwycnxpzv189
nT71KKUO9qjwu8hAD3Omv9A3u9ZWVQcEXyOPEX226
gphpdylkxhrjpwempwmydyqrwggkbmhdpixhlzjunfnyllhtwzpjwxhwqwripcxcjawehtiehyfeqddbgyiaatqjuqvkyniwy225
czcdtxevkfnzigbofckizxvwcmqytfpsqatpxtmecqqkrjdasytipdcciyuuxnhzxgfbjbrgyxnujtshaodovrsnihni238
kbburkwimbyihjxanzhkfpqxeoogiwjohqovcjbomwaozevdrzcoyyjpnnsjydqsyfhimucmrkdbdwkkqtwbwtxcpnceutbrnhsaltwkefqpklqcpubr27
zbqkyaiynutsiiqvdcdbkjalhtdunvcmsjhwdlxklbrlrvizszqbsrrvcodmnlcwhidzvtgxnelxyynazawhnoudjfwcaxunkzdxcks211
rtpewkeavksfyagmvoelbtfqruyjdlbdskmarzklfbkiizgdxfrrkxinitikiaqdkgzjgoyeatfhhigcjzbjlfizpdrvpsheedsfmjytpgue198
aqmkdszsxnqesxjlvbqsxcwhpeibjyxpsatmntiksmqgcsxvquzbrpwpsvljedlqswwdjrholvueglyzjaaruinhxlzseczxfikvldwalspizunvgzfaa10
xrzrfrkjqhcrvxefiazoeblwlcfydfiosqzwdprgvcmhrbqbxtjqzkbwxejildcreusdbsrgzkpxxizoxnvvtcygndde41
oxihudzpiobmlekbckqaoigmsjthlbkjdduotwxlwrkobwcyntvubajjfirgmymufdbthffkjhnngyubnmbsnejvg103
uvxcqjecsqjthcmatkywuwaoihrbpsajewhorjwtnqxnxrokzlktpdbtuabxbjalkozhaqdyzaodfjpzwwbgtpvadjzktns145
soikwlborgcfqvcfsrqusqdjavjmqsybdpeancexmfadshqwxqizfxancfoucdfqeeqbbiwtczqjbgyoiazrowckdwfygsiadcjpljipyln152
kstQqOCZx4iQwHVKEXspd3btplKFz4155
lwzjafznlilycdeneowpvfmnawapztlerqabtmldocxjmdvslncswuqesaxttqcmfwbvmdaqjzdrixleaqcweuwurpvfwuesezpmvf104
owmqdxffmzfcnevvwxuvnbeiequopppcbyovoxnortpocmstgweqexxzqiqgoijasweplvfyypbcsacjyijfropcuditlqrotxwjnjjiorddbmbodlybu197
jtukqncycdlkmaajwmbexcfwkaidbuctlfnbinyvdazjtpgwosqwprmegclzwkhctdapruhnbmadyqifzwqmsfcqzrffvsrd130
dfhqmklfypnkjllhcmwsaiyycipeaqpviciqkvmdavipbsuxldfvhxdqmuisgifugbhzpuejlinwsihfxn123
cwbUzioZyV2O3LL0wuuqF27V237
nhuziztchqlggomyxlkzzcfjjmqowbzszbvlaqsrgkwsufstcfelixgvlbhjazxnubogbmewqhhkvpztyenjofbgu106
tazbtysqzmmnbhjhxuefcmjyhuxfzrwvgaswfvlmizlgeevnjxdntxcyvxrqnkltfveuqypjtonubefeumwrcmozifdfapvqnunimeuidkxsabfh117
sxuqurlvxlcjzehwjreicqhhmuxhbolmmsclykylunxugbniqbkpokftoiaaysolubcolgguwdjnrtsdbgmngvlmyekahroxwlcuzhjbjvwlxf242
xqebolqzusghxxozcnckdujtxkfghunhqltcxqhjqeshtrfwrwsmchpljejionzyrnuzeirvosemikhwhjdjxmencljczvxkmqaqhvywydivqkxljubbnpek7
bheqeicfwhqqnodjyugqkwbqkadxmqcxeugzmhpojcyiqrmeyulseozvaslsvevtpqlfjtxqwiizdxukukzcjgekrpokwv250
lmnrmjebmgbdhtcpjodpklmqktdiotxvvszentqxeikfsuexvbucpytsmghqgprtpypjsxbdczjutfgnpxqfdtfkeenzeyeqovldjy74
ytjmnsxvwtqlyapjqqcheqkksjfdfxxqktjoebvjfrftrunbkslkhumrptaydewfcixekaakldisswuxa122
cnpyvfzmgydicuucusaimuyocilwyujrimrrpwfifulahflehdmcxphdkgdnywstkgryekzumzxjwtbrtrrvoyhdskjuheqnrogrkdlllhhj153
wvbetrorfhwudbdghkzllxzgeldrnzccgyhuvpghnbkntzevmewjgujvekufgrkaaawsgtoeebnwtzfqdrsmsxjwavfuezevjpdssclrivppucda206
rtpewkeavksfyagmvoelbtfqruyjdlbdskmarzklfbkiizgdxfrrkxinitikiaqdkgzjgoyeatfhhigcjzbjlfizpdrvpsheedsfmjytpgue96
aqmkdszsxnqesxjlvbqsxcwhpeibjyxpsatmntiksmqgcsxvquzbrpwpsvljedlqswwdjrholvueglyzjaaruinhxlzseczxfikvldwalspizunvgzfaa82
rtpewkeavksfyagmvoelbtfqruyjdlbdskmarzklfbkiizgdxfrrkxinitikiaqdkgzjgoyeatfhhigcjzbjlfizpdrvpsheedsfmjytpgue106
ghvwthlkjzavsowbewdwvshtqlzbqvwpvbcgwcqyjifudfdrzouvktvwyklylzrgrfmqicnqbrnszutoffuysvpqqms68
pjzyrrqrquluwrrdgnfkxembziiauzidfnillpfzsmurnthpzaqipakuyzudyfswgupmwwyzzvkzfwcszyzsauvkldbbun129
rqormoueresinybyggnmzlighuqptzjlgulzpwxvtyqcreecbvsbyglaqvhgxknrmeysvfefvvjtkztdnu176
yxpuycrziawvufwkonlllarrdemptlyvksndnnafvczlbxjzphnaolblbqqsspfujieneymjuzwyztsjidrl182
wvbetrorfhwudbdghkzllxzgeldrnzccgyhuvpghnbkntzevmewjgujvekufgrkaaawsgtoeebnwtzfqdrsmsxjwavfuezevjpdssclrivppucda110
go7wImuM0v9HPCmPynw9jd1Wje2VvxPEfJa9yG220
bgjzncivarugpnndshjmjpznxieeqfhqcpafhierfeeishczsxuohlolltlsxoszcjnbnixflrxopzcs51
fdqyglujpbhafkxkltyntbkcphsrsnkjnxjkugbgrkcvznddjruvixglyeomevrzijilscqprkitrfwlumlandeuoixd146
ghvwthlkjzavsowbewdwvshtqlzbqvwpvbcgwcqyjifudfdrzouvktvwyklylzrgrfmqicnqbrnszutoffuysvpqqms212
pjzyrrqrquluwrrdgnfkxembziiauzidfnillpfzsmurnthpzaqipakuyzudyfswgupmwwyzzvkzfwcszyzsauvkldbbun172
evatwygpvuqwccqjgzlaqbsxcrbqtjhdyudkuoisoorypomglvmbbhmzlswmnetgcyyhjluxhnignyvxpdkryjdvwsamawrhtuwcgrolefb232
upVGQLIXq4W7D245
qgxovstlckprqngyhkfdojjbamtsudaonhsgikbnekufkypvsxjabfvratvvnwfelmjswhbqilflkbeinngvemgtzoognahgbvtepvfpfnsqs201
vnVdhbkIIbzvbC27211
ixslertnmeexqfatbcxqhfkzxowexcfpfqjaqrmewatwtuivaroiapmsshkhekypbsenmtehcnqciixhbkbwldmayymcrfjp204
apmyodqmfqgogwmfqalhvibhkaapjuwseepasihspbbtweeluttzufejyegnnrjstuvezjsbxztmhhoxrobxkgfyfixonfgtjnzrntfhvihyrvbhxligyyou230
whnxbtjuqrwwxnnmnsezwgaoalzhighgaqgghbmmhmbkxpdhbzwoazkoikhqnwwhoziwbbsecccphvmescflpomxzphdnhgdybj60
ojuadfurtybngqvhhtvnaqhunipxgipnxvubgieqqdalflblcowzvfkcjidrtdybtcoybojkhicgutbpcxorkvmwepeekyqqppxhqvqeezbpzmcyxetes157
roemhaeptksyaugjuwgxuczcpvricbflvxqphvdokvgxlzltaeormbawnoxixclvrmpmhzhdknhqpdxlmyopyxtwwi67
zunkbduuuparoblfpkleceprejxhtoqgsmxykiwthazzycsfiefsaqmiekrkhgrboaytejpadqrleyuzxsyojbposayedjplyfi132
ncobucdamssmtkoifheqxlisiiieytnmrxcpxudzpnttqnsfniemgbrjlvlwtvxhlfkblmhvgabmmacqoleljnqksc91
hztkhwnaxyyengugldhnltbzhxmcxkilhiqwhooobvywexunttclviydgpuanidmzvglhkigegsngrrllkylehcsie96
zmhyfltxvlgaquiahyqwxfvqueidmvnhysdbgjukdaduepqqxygdncakmgutpmoihbtyezyyolqyxalyqupnzrktnkgoldteozahyflsrdobxybcawl226
Label
okqrulobooyxdqknngsraxjxbbppctkuzaavlhonvbuldvmqikneshwnxierrtaugjlcxyjvrznrirthsbhdglhpqh70
imakjqyimphzwslhrffjtpuugzjjyxtxklkksionbrszblhvzrsehvlyozoelwkecxmptfwunjkjjcohsejvqzn31
Caption
sonfuuqlonplevkfreyctdwgshsftmfsqgbrdoutkrwpamzbnuywgehihwsqwafvqzuvqglugfgqmmqxlifyciqajhn100
xgnlmeznyumfmmqfisznvmfovhruicfimudvmplueblxsakyfypncpsjnuctwktjpxhxqtdspfbwiqccaphrgndohmezwkmabgzphs22
kTXzKTq4XtiTj8jYR9
igzveooxwbrvlnyltpdwqsvarcbgeemkbblulnpxfwuazjwcezbaiwkcytrrgcgegulhiuzhsluznpamrhhlprhmnukbqgtdeoosqbqyqzcdtuinpul68
ueenrgzlbowrclkrkweccjlpduxdwvgdaiiimfzmwmysdhcrcswlxkzdbmihdcjbpphawryypysakpsfnthuxcrnsfwjsocjfcxwzbfqwzzzcxqagyj51
nnwnqgyaiyvrouuhgcwkgnvehrnpqcjbldczyisqibzrhjpeqziscptcpoooosgkpismhogimzafqkhsibmijrxmshguzcai63
yaqhhybvnfwsfhbzdvblnipbnftjdwpnwhpeoqnwhfsrrslakrmpzcyztorwdfighkgepifjyxsmxceiehrnlcyeibihsggoehwnwkzymfdhlw124
wbmiwryiadgrmizpoccltibuloseooztqhhqafowlrdlvnsofgfkbajtsfkdicshswhnpquridmfkixjsfeaog136
yaqhhybvnfwsfhbzdvblnipbnftjdwpnwhpeoqnwhfsrrslakrmpzcyztorwdfighkgepifjyxsmxceiehrnlcyeibihsggoehwnwkzymfdhlw121
dntwkrwmeunosuqytnkgjidvnidamlchqffcvdgrhdfgpnriepgkqkhvyxuzcxnpwysmytojemgbiwcuqtcwe222
npxmukrmtsoxlwouqdgijbmdradnplmxnvivpeuaoxeqtnbxiawvxiendwyhyqlhmlukbekhoscqotbwsajwcunecn46
wwgmfqouultrcdhmlynfnendbbtwrxkrglhxhnxuoyvmgtfiyisieljwdreysanelwblfzsrwdevdkhcxmxoqleuzjqbx27
jmeixcviklrgmthdqapgqdybrybnmomntdzvxqpwdamfjsnzxdmnaqlpcpfppyeappoeoomkfwtcvepkogtxgywqiewjarbdvebyfqcxn156
olaxvvkdbofatslpqopibscbjqyyuilzhfpicmgjyizrywthrbdlktwgmhevhdyteyskqncyaomjeevwjywhuxmc1
vyhjnzbtqzgewgvlfahavgvcvsasrprikvuqogboapfmdzetilsnuxftghxklxyygdfhugapzqiqabukr224
plejvrxwgnfryskfkittxmliqmiqivdrccahmhhbxgekaqfbtmrrgfdrghplutpqrosaancbfeujqdmwonioaumhkvadwzglcwcvpwvswizwz151
gfvvybkvxrkosmntuosjvdfjlpatgoguxierqkezzpcbsyuzzfchwmrobcpqrvrssemyhbjdlqswbqqrbntqwfdzfczjxztwcqkqwgdt84
xhxdcefwdrdznpnoqbbpxbtsiaipawilivvuyffiktgpsqkykqmvrlkhwjhvdgtgmnoeuqlhmrcgdiotjzvodaqjerohrshzfq37
ycveaorhvvaftkrhmrvgpkkijnclqxmzgskllupppksxkddwaetbnrjcwnrbrfizrgjrehzxsddphnyol75
gphpdylkxhrjpwempwmydyqrwggkbmhdpixhlzjunfnyllhtwzpjwxhwqwripcxcjawehtiehyfeqddbgyiaatqjuqvkyniwy52
ldkqvgqhhtsvokpsloafbrzlcnynkgvuxbrqnydhqppaouglmxqfkpjyqvzhggfjxpklbmgsbkulablpjwsedqpedqvzqxxidtnjnklggfglct80
yxpuycrziawvufwkonlllarrdemptlyvksndnnafvczlbxjzphnaolblbqqsspfujieneymjuzwyztsjidrl41
rvuboavmezwtldwuekxgdvbxncglrlxpcuhhndmfngjnakxznsycymtqlrjpwbqwvcdvunrttzpkrtaipajzuhifgxtbicgutylfvyzbvnswuyuwjnimcaip33
aqhofjkwafdyexblwoilwpdkyszhffrzgjwuxhspuzvuunpqaqkeripumehnkhmlgbsjvtsniqexvfgpgstjgwzrrarqc23
yaqhhybvnfwsfhbzdvblnipbnftjdwpnwhpeoqnwhfsrrslakrmpzcyztorwdfighkgepifjyxsmxceiehrnlcyeibihsggoehwnwkzymfdhlw242
dntwkrwmeunosuqytnkgjidvnidamlchqffcvdgrhdfgpnriepgkqkhvyxuzcxnpwysmytojemgbiwcuqtcwe221
bzystbrbfgnjdgcylifwddmpvrfgfsxaweiqnxmndrmrqqrgrngbtrurnyjflypcjqflyardtgguxubhwzrhourhuvtposuuejkkfaqstataeisws15
ljmddnufibbgwqxbufmqicpfasvnehgdjcxdmqdhsfrzbzcwzrvmehwfuigmuzogsvoshnidybngvxuotsqdxbllbsqswoigstyhjwjshtcnxbycjnmzh216
wbmwicochgwbbicjjbxzrogugkjspjyvcldfeuneigoyqzzfjfyjdqrnyofhrqqjtugofiffuhlmldnhasfgffyzt29
xbquwnlbfcgiriyfiwgxpckbsjcvcbrlkdspkbookqiexhejgrsrxmrfnfvtvskefmhdzquvmutfwgokwuqhvdhnaelljdzrbcgsuuqrcpl141
yaqhhybvnfwsfhbzdvblnipbnftjdwpnwhpeoqnwhfsrrslakrmpzcyztorwdfighkgepifjyxsmxceiehrnlcyeibihsggoehwnwkzymfdhlw107
ajfpinvshbjxkqxwivqoojsqujtvmzfsgmmwdeqypydibuzwqvzvzhkhoavlecaqntndejbpxbkkbfooejwqcjvc221
ugTGUlWSyYzBKvPyYSXPvuHVqrZYONB112
awthutkgdfdfcdboyffzdgkyargjhpnrcwsfgmznofyfrnkbxrndoexlhirpvgruzvcftiioxwconjogdtgdtdoukuakvtobnaawscfkalrtbmh49
wioweydgblpcuphyxtowauroktpfipkccindyxownigkjspatajrvswawsrjxvbemckuvrwdevfzfdficbdzjscojvmlwc134
allyqswkinxajtkkwrpvrfixvvkiaedbeslovtukzosbaujbcjnilfoqmpamkpdhwqspdrjpfewfkuswdwdavncqksycoxqgq30
kmobkxheeootqtlaohglpewfujcjezmunmkwtjhbdwbyyfbhkuwsutscxxaynwzbnctnwuqaborbsnhwnrlgkisuvebjmejvfyoxbixnsh41
ghvwthlkjzavsowbewdwvshtqlzbqvwpvbcgwcqyjifudfdrzouvktvwyklylzrgrfmqicnqbrnszutoffuysvpqqms124
pjzyrrqrquluwrrdgnfkxembziiauzidfnillpfzsmurnthpzaqipakuyzudyfswgupmwwyzzvkzfwcszyzsauvkldbbun234
wbmwicochgwbbicjjbxzrogugkjspjyvcldfeuneigoyqzzfjfyjdqrnyofhrqqjtugofiffuhlmldnhasfgffyzt23
UyeM0D3jEhCnwM86LUgkxEchz0209
xbquwnlbfcgiriyfiwgxpckbsjcvcbrlkdspkbookqiexhejgrsrxmrfnfvtvskefmhdzquvmutfwgokwuqhvdhnaelljdzrbcgsuuqrcpl191
rpiwlakvjdlvcwzlxrvgukyjgzrypxazrlilinfpppqpywjgtqpbdgttwwtqtqipdgsamqlfqwrbakiqamxlyyktvzicxpbdaxutjszhn56
pqbmayvprcvfexymperveqbvxnfbnbsmrooykhfzudxqayeanuvpjsxbbnbimxbtabttcyalvndtarkrjvyrvfrrjfwubdnxzvfwa66
evatwygpvuqwccqjgzlaqbsxcrbqtjhdyudkuoisoorypomglvmbbhmzlswmnetgcyyhjluxhnignyvxpdkryjdvwsamawrhtuwcgrolefb95
dppzqmzcsgtpcwckeamwmjazgelehbzlggphvorgpmotsluwgmeqkxmlhnzvsathigrqeldhdasfvxeoyjtdjostducxyqsu22
hztkhwnaxyyengugldhnltbzhxmcxkilhiqwhooobvywexunttclviydgpuanidmzvglhkigegsngrrllkylehcsie154
lnszziedckyaguhwncqjnsbmgjunsrfkvfzhzqikfgvefngkhgqaoosuloqjrxtwauucrdfqtbaudqizks28
ydwqpdbnosjvekonrrasrefiorkxqbnxuonwgfqisvhkqswfwfaclaciqdwxjskxqhlqoqojgaeigriqdvyxefgtrzmrbnyhpyzrejrzivkjtjwcpcfyoto130
focronplzlhczwiqrbdbfklklgohnvonhpjwgsiklwtsedcpznvacchecfbwlacgwivqnktpplxmfbdzjwyzkuhunbymnxxndgysaqufptedurjzaswqupin168
VB.CheckBo
sutclwbztgcmobciujnjzhkxcuqnrcutacbkwhlvhkeopglhurlzdtifwkzwmclzxyayaxnusfnztkgefbml241
uuclzdkswamjjcxunxbrtpylvositheccrbumkmwiscnzidftpsosaqigbbxdtxsxhccegdnpjdsrlxhgs239
xisheupzgkptzpgorntiwoavqpzwwdbuwfycitonmgkdklbuulxyredmrscyjktbaslkfswgilmzsbwjgqpgppduyggepulqqcrprgocddisodrcjf64
GIPQS2tiBOtAbXFssKIhmafrMom0Cwhz98
wioweydgblpcuphyxtowauroktpfipkccindyxownigkjspatajrvswawsrjxvbemckuvrwdevfzfdficbdzjscojvmlwc215
rYivx168
xerhgjvxjhgfcletxexwslhlckjqmmiewttqlfafxtbkocgkcbrhidosfdwxginrdoiukaouqrptupaiszqkavbmdrh221
hqhejqctqtxzexpoudtactwbwyxhlpwazfslwguaunbfrcxczhawmvtyumiuruurizvyylyfkcziqewwselomht88
eryhjychgvxsuyrjhqkdkeenjhdyjpmpkmvncourwqssnqynxkziuxeafmlpsplxhsvsdlxzbwkirhpvjznazns162
zkbpxgsfuztwrrvmtcroujejtsrpyqpyaleiotrytkocfqfllksqbewborosjzlryeomerqyhiecolhpsgjdfodfemcdcwaldjwcqhtrvn126
aqhofjkwafdyexblwoilwpdkyszhffrzgjwuxhspuzvuunpqaqkeripumehnkhmlgbsjvtsniqexvfgpgstjgwzrrarqc147
kvvlltcoombrmcirgumsxrhgpxhmlbsojylrofkumsddevponbikdzqmejhhpohqseahsvlarnuzxukceoru212
niqdouxsvdsgppzljympccdncjxtsqwxpcfraadgotgfydwheccrcjklusnfpcdfgknjhftuovtoirbngvepuxeixaihzifiujaq49
fflbmgyzdonbolkxwgaewchfidzwodhocytpurmvztmidmgrmpsbcjkbgutitywrushozufmpyuwehyfccbhsvhvsdujkmmdswxrani247
rPfvApE3WCzUN4tJ0MBScoi195
fflbmgyzdonbolkxwgaewchfidzwodhocytpurmvztmidmgrmpsbcjkbgutitywrushozufmpyuwehyfccbhsvhvsdujkmmdswxrani114
geqnmclsinnrtljmqafpswrmpzjncqygwveoennmysrbffsmnagiyvrnbufxfnoohihejvfquobwqfpfgr218
nqbwxlysjliunxhwuyvrjjlkieecdhhkjjarqxwctrnjgjakcnwfonwlmdtpuejbyfwygvoiuclazalahosscuebbflejkscqyjrsogzy22
rpnsikargkzcpwhlwfdovxsgxlartqgpececzzvlnclcgaskjueydnaocnxnomiuoavuaoaguchilrazdvetmkyj83
huiehbwwnvhnabrjomplgvplldnnvfpqzrxxtuijjbkxnmsmrrgnvwirgbovuwacfdxntdgrcxwonqswgvklbbvyhmluxignuwlzpgffmarjhs106
rpiwlakvjdlvcwzlxrvgukyjgzrypxazrlilinfpppqpywjgtqpbdgttwwtqtqipdgsamqlfqwrbakiqamxlyyktvzicxpbdaxutjszhn205
ncopgntuuviwhjrcahzevrnsdeasyolodbzecichmcegkzzwrixkiryeqegabjuimejcbdsjsdatnvsowzfqzlhbzzmn224
dzgbhiauhbxgyhxkewtfxkzdomichxiiztiadanoezkqzrjepknriycuxplgbobukygqdjhwqjwmvvtkxqoplqbbpvkfszxiyaupjinwgqamns221
xrzrfrkjqhcrvxefiazoeblwlcfydfiosqzwdprgvcmhrbqbxtjqzkbwxejildcreusdbsrgzkpxxizoxnvvtcygndde84
ckokmjpqcsdkrrpofkkjjlbesiecoirywxqqotsrtrruqkjdltnmlykqsicjngphmdqhtaguibbvykptxms72
nrxaacivmdvozxzwvlnkiwsorsvjzobuxsdzzlfhvesxyerfmjhingpphmpszijwmktdsxzirwwtottqf73
eclaraxjrfxuojcomypqwngvehznewrtffvzozawqbipsfxzmfanpcgtjnyazuwevrhwytazzxzbfcwjykazxevfhtaguakxtouzyvimkvtjhphkmnm182
gbonnrqqlkeewihswrjeotycauthtafqxjachyzdjeijivxbvqarpvcupfzwcljelefondxecufqtssfsaprkyfumzpqfxnuyklet124
wvgzqbeocojbrckggxitmksdwxlkrtjtspellbwclngaaemzcilggbqqjbzcaokfmvzmurdfigddegxafazugjwmhgnwgxaf235
ldkqvgqhhtsvokpsloafbrzlcnynkgvuxbrqnydhqppaouglmxqfkpjyqvzhggfjxpklbmgsbkulablpjwsedqpedqvzqxxidtnjnklggfglct83
bhjlcssbtodxbokjxioyljuncmmqqjinqldrdtfjhptvywvioybpevgqgjqppavybkoayrmrznyhodmuxsfjxrsaxawmythoaxtlvoalpatdfpxesjeevd46
pcsdxlmqaifnpjfnthfgomhkemtuwaqgtzcvbannpyhtmviqzbpcwsymueeeyehwbrgmrosblbbeaqshvhvrivdgpovbvbaoknjqbyuhly26
mhlsktrmfkyjnogifexgcvdglfxdeubjtonvzibejzwmkhxulpbhlesnlkrxtoglvqkvcopsilkdykqirhuuu56
huiehbwwnvhnabrjomplgvplldnnvfpqzrxxtuijjbkxnmsmrrgnvwirgbovuwacfdxntdgrcxwonqswgvklbbvyhmluxignuwlzpgffmarjhs95
IS3LoT7moKdmG7B6bSUCrO86NyFoxOKO132
geqnmclsinnrtljmqafpswrmpzjncqygwveoennmysrbffsmnagiyvrnbufxfnoohihejvfquobwqfpfgr35
cwbUzioZyV2O3LL0wuuqF27V60
kmobkxheeootqtlaohglpewfujcjezmunmkwtjhbdwbyyfbhkuwsutscxxaynwzbnctnwuqaborbsnhwnrlgkisuvebjmejvfyoxbixnsh65
abyrwflopagpaiwkvjpuhqcpfaweebavywpnetoxinrqbtdyjoteokfccftyuwuzhthjtrvcvaifvdvlgyowixiyebyxwnibyzgsbsxdzuk133
pvmsatltbflvqcbimwjxjnnjuieqphmhzgiyyalemykorjgbovqnjemncagnfkedutbrqebaxwzrtsjfo35
YAzC9vNgtYnTLPONGtZ7m25
uejipppiyvjyqlrrjknjdwemuggwaonumzfzcrqhuzuekmlwswliyqgyhdndxyjgbkkukpnztdhivwkppbocloeczqfmumytuq30
wenwgnieejgpylfddktlwryevpzyyzrlcxirbjanyuxrmiupbqeamrggkdliusvtpyieaanrmbitiqjiokeduyagofnaxvexythbdjdujoglmhgk34
mhlsktrmfkyjnogifexgcvdglfxdeubjtonvzibejzwmkhxulpbhlesnlkrxtoglvqkvcopsilkdykqirhuuu5
yn4Eh1PsV9z8nBZIjXLgrBXA3hFrJKWMqKTm97
vtwrypbjozfxyavieijmoooptutrpfvpoiyffburfkcbgajiljqowbxbmcmiayspnjwkvrkokklaiwmtukfxqkwabarxuvlklwomayit151
pjzyrrqrquluwrrdgnfkxembziiauzidfnillpfzsmurnthpzaqipakuyzudyfswgupmwwyzzvkzfwcszyzsauvkldbbun105
dppzqmzcsgtpcwckeamwmjazgelehbzlggphvorgpmotsluwgmeqkxmlhnzvsathigrqeldhdasfvxeoyjtdjostducxyqsu25
ZljhVS1uyovfVzesnhdp4NcbSj7eqJ51
pkuduhautnyoiqjdhzxdwrseiwzhqgbmtwluvdoeuzzefoykjwblotdzsipgejsruzlshyjzvpurupkixqtkmiivfstyspfpvherwujlcxvutuq127
imakjqyimphzwslhrffjtpuugzjjyxtxklkksionbrszblhvzrsehvlyozoelwkecxmptfwunjkjjcohsejvqzn193
tmmubbnskxmpvttncdjsovkgdutvuyayassjrgsqclbdjuuzysdsnbdrzyebvpxaturzlhsjqpcnpamsjxjqzdrahyfojyxycftj163
savdenvrcqchlhnlyzvieyerwvfcladfxhemznkcgqraxwpjmljfzbcgggafjirxsddfwqatabfbpbfbxkmplnflbqhhpak218
M3qAtcDo77
jdxliqqshrusfjngtmeogwsasgnyeievjvuphillruvoxofixwttuavzbntjvttmlmfmifcybbomruccgxoosisv37
aztuepuchkdcnggcmowzgphijsndrbekomugipldbisliimctbmtavuzzhstgwugwydwescnbuxclsbezxggyvitnhxrddj213
yfwfvusxhdqmtmapvyhuqzmsnjbtaecueliarmbozcvqvjmoanlpbzoktunjkjimqhjjeidkjeylgrblpablqujakfdqbcgkslrghrbzwenyw175
equxfxwbqcdvswygdvvtkxegsedivtsboyerbvsqrvjzataaeyzyesmdwephwbndvysezutxvmbxgaequlefznbikizvjfddmbgbzrfaqmagnotip83
vdnhawsvlxzyjktbydmjxwstwxicoxdosznnrcpgrnilhrehyhsnwtvehmuwsbyeqzjlkhyqjxopiqrn212
lwuocvjrpbyrocxnfbohussrjkrwvafnfzdjdauiqpcweymnvjnwvojjnjtxzuchtbybyglpgunkxqtuyhvoqijelenduwhiplzfmjqoxbbzucyldgicgz153
grdtjupaluxjzyqybjoogznupdnpxcehfjhmmkujvoxlpjlhywnpqjmmzmxeeeduvjvinlxcfmsieffvnpzhgktkylspekzucnakbiuxslpc213
jslepdfwpdehwyagteenwhmsclzvjfbpdzyorifyatueynzfebapyfmmrdlvfakdwougyfnkrxalccfrjzajftxduoxariqhcx154
rYivx84
rpnsikargkzcpwhlwfdovxsgxlartqgpececzzvlnclcgaskjueydnaocnxnomiuoavuaoaguchilrazdvetmkyj52
pvmsatltbflvqcbimwjxjnnjuieqphmhzgiyyalemykorjgbovqnjemncagnfkedutbrqebaxwzrtsjfo186
badcwbxhvzhgfivapdufdklwmvgwsosossamopooimvkdmpskahlkwnowfenhlmwvjhzdrvfaqqfibmlknadoui85
abzdlvuuixqfmjtrakugjkypkeeregctmssyzfpplygdgiwhfpagmtyiwwyumixxgviidzkojxjxuhfnylnqrzqhwebcnkcfutqwycnv189
rvuboavmezwtldwuekxgdvbxncglrlxpcuhhndmfngjnakxznsycymtqlrjpwbqwvcdvunrttzpkrtaipajzuhifgxtbicgutylfvyzbvnswuyuwjnimcaip71
tzdyndoalagnrgwvmgcpzmlvpxqadczqqzjrekaxarbtbgryhafhylyimgmuyigbtmfrkgaluabqncdkmwgkwulyfkgzusesjsihy57
voaaiynxwhzzewehemrwjftbrwesjehsmrmzdnwllyzilgdtnctsqxwylnghzgjleywqepbqhydiwmybrpoofbaautykgpyckswonalqzsgsm30
vyhxykrnycwnlfyeazcotmzcqosgrkpkwzrftvawxfqzxklkmkmmwnmomqsntlvzhbeikylclthybwkizytx196
rzqfpczrevsaugrpzflkglakkvnyxijppppcugjtehxuppkfpzpwggcprpktfhwcflcrbhkeiowjdzezbjbovpwxuckkflzzxhszkmgmakivisdkudnnxs200
upVGQLIXq4W7D14
ixslertnmeexqfatbcxqhfkzxowexcfpfqjaqrmewatwtuivaroiapmsshkhekypbsenmtehcnqciixhbkbwldmayymcrfjp175
wxliygegdbwepfxuutgapgijxjcyfyhcqvcedraowduszexenwztszuzhqedfanxvseyuymgqjpynvbjenfezneaqdsgqetzjuwdhxfji211
xoemiuzqbgaqivdxxgvifzcixsojxrykgoyynjwdkxdbnzpooogzmjejgnswmvbisowgopcumokijkobveavmyaf116
ojuadfurtybngqvhhtvnaqhunipxgipnxvubgieqqdalflblcowzvfkcjidrtdybtcoybojkhicgutbpcxorkvmwepeekyqqppxhqvqeezbpzmcyxetes128
kkjeshrsvzlgdrvrfmnqocbyzbtiqzqidcppxfehvrcsfujlugohgehzuzztzwzidgpbhvxmhigyicnqhqdqagtoejzduu136
jdctvoqvxvroekrmxarijdhxoweeifmjjiustgdysrgokihwjaprtrvabvcchcvpwikghlglsdflbeeoastqqwotzthmcooygwoihldujzhjbi135
ckoxbzyxvpnbcsmuklpvlfwexmmoontwkttcjetjwchhwzcnhtunjhdwmzhffssglfrfdjvhwycnxpzv128
RZy5kRnERICN7ezIdugo8dTj8bqEwXvyLO200
fvjauejfxaetvcxzzgxtniuaayublqfmfhlbuwzflaqezmhfclpexabhljmytplicjcrhjkbpjfolddivbdgtrrqrociwmfvhtzxeztitwoydip214
pjuqfsrobqoxxqmwczsrvxxedsrvqcaofaiiasnmrojszafbnvujrkltyskkmwqtvyktxqumittzvlagfduqdhzmnpqubrlmzmunylstmnnklwforh230
jdxliqqshrusfjngtmeogwsasgnyeievjvuphillruvoxofixwttuavzbntjvttmlmfmifcybbomruccgxoosisv233
okqrulobooyxdqknngsraxjxbbppctkuzaavlhonvbuldvmqikneshwnxierrtaugjlcxyjvrznrirthsbhdglhpqh216
vzdopqlxursxjfokgmztutbgehrznwkryexzyuktcdkzvuvpshdrtqyybptnqbytuicmgilovktjpucapcljpgyonkspmmzosp146
YCA6I5bvbQKwdRH2Su237
leghmmkrdiofmkfyrbxjcybopfxggrqbzgxksxnevnjameqqsuijhrvifvahewidkwiqxwgdmbfxozdhzak232
lnszziedckyaguhwncqjnsbmgjunsrfkvfzhzqikfgvefngkhgqaoosuloqjrxtwauucrdfqtbaudqizks198
gticqzpsmhkmybdnofnvjuebqpedlhcrdpfeezxvfelenjvnkkbcchqvxbcfkrflegatntgdnpddnukemcgrzoazhixaorrooedojhmyocxenkstxwlkr104
bddqgxidzegdqkbpellfgtjgwvnqcajgeibnptbfuppquhrtgjgbvnkcodfrscpismiqobpeeoltgkykgsaftmcdwzpyxovrsmfcqgrsdzdrodpc194
ycveaorhvvaftkrhmrvgpkkijnclqxmzgskllupppksxkddwaetbnrjcwnrbrfizrgjrehzxsddphnyol94
efrjyfxbsskxnmodaunxzjwbfuqbsbpcdltsgoeiarxiqfifytoabakcgcdbfgzvfomixbjzhalwosarwxg34
mmwykphqomoaatjfbvpihsotiawtgavebfhunbhkbukkcszwmqxfmrhamyxcmaivpjttqvrhkvgbqkpxwvjuxctfzbpvanrfcuoyhhezpn77
lmnrmjebmgbdhtcpjodpklmqktdiotxvvszentqxeikfsuexvbucpytsmghqgprtpypjsxbdczjutfgnpxqfdtfkeenzeyeqovldjy49
TeYSy55
yujychhbpqzbkbmqvqhsgkgkxonpfbzoypmzamwbibvgxjgkhtsleefwjkfvvrzeajydujpwzakkraezscmhdepiepeljrygauvisbawictmbetrxlsciqx235
vbikigcjchwlwidtpisowuwmapzabwgdipsguynnjijfofnliulciejbeotsebymfefzvhfcprdmyfwhvdtzyixteeuvewxehlxnqmsnpzeejl238
equxfxwbqcdvswygdvvtkxegsedivtsboyerbvsqrvjzataaeyzyesmdwephwbndvysezutxvmbxgaequlefznbikizvjfddmbgbzrfaqmagnotip126
gGyg76
krulmiimrkrdpygwmlrgtopwassfblzyjmgerqwlxeukiluevrctuyatsubhmmcfwayrwddozsxtahobqwtyzclyplzwnxdvqwuujy235
arruhtgynfkbtycnzwecxjwogiiqxusdookhomkmwgazppwijgaliupmbdhrarjkdqyroilqrfeprsidxpjnuieewcz147
kdhrjanuurbvvlniwvafhrleawwhwxfzrbjczneiubauspmzhmjzmmvsqmtoldqljalubuvblqoenhfrwuergvx173
fyegrbuymchuheyhjbbzmkdooilqrdoqqknzkcuixfzkcohsmqswkbytdzdktxlrppzounzocekczbouxlygawprwnnjlaksrnliyvsitameafbhjmq200
iYNHYIzGvXxUGcNriPIxLp8UXdTs157
ydrvrulrrlwprkhnseskqrmlxfbemihgixqfqtamuimxinnbgblfkuvmkmrbpvlsenhvasziduoavkqgamrqqtsdloeozp217
xufncluijrzkfbnabxchkqxdrtdyrohvetbaqqwkjdqnvptqfhefjsxlpkufibhhntynkiotujckfbnynnaawhodpdkspahbbi156
nrxaacivmdvozxzwvlnkiwsorsvjzobuxsdzzlfhvesxyerfmjhingpphmpszijwmktdsxzirwwtottqf79
M3qAtcDo75
uhkwzlzecajvboxgysdjffbwegnrkzemyogadvdyhcnkbhnxogkyjidmyboiiomsynmlvygzxbdwtfwnlgo167
ixslertnmeexqfatbcxqhfkzxowexcfpfqjaqrmewatwtuivaroiapmsshkhekypbsenmtehcnqciixhbkbwldmayymcrfjp8
oftaeuapwwsajmsmnkzbvopkzeaqwswxxjppjtqhbprsjcgbkeqinevjxtxqqbsqxyligwaypofaxhfpofquvckojzfslrb50
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
042204B0
Comments
Tedatata6
CompanyName
amazoN.COM
FileDescription
Discountbutikken7
LegalCopyright
LegalTrademarks
Levnendes
ProductName
FileVersion
8.02.0002
ProductVersion
8.02.0002
InternalName
unaccording
OriginalFilename
unaccording.exe
This file is not on VirusTotal.

Process Tree


Quotation.exe, PID: 1860, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\Quotation.exe
Command Line: "C:\Users\user\AppData\Local\Temp\Quotation.exe"
Quotation.exe, PID: 2040, Parent PID: 1860
Full Path: C:\Users\user\AppData\Local\Temp\Quotation.exe
Command Line: "C:\Users\user\AppData\Local\Temp\Quotation.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name win.ini
Associated Filenames
C:\Windows\win.ini
File Size 509 bytes
File Type ASCII text, with CRLF line terminators
MD5 d2a2412bddba16d60ec63bd9550d933f
SHA1 deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA256 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
CRC32 BF84F0B8
Ssdeep 12:F4Yv65RdlpcgbtrMv4Fblu0N5ZSESow46T:F30jpPtpxP5ZY4E
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
[kernel32]
kernel32=kernel32
Sorry! No CAPE files.
Process Name Quotation.exe
PID 1860
Dump Size 404480 bytes
Module Path C:\Users\user\AppData\Local\Temp\Quotation.exe
Type PE imageexecutable
MD5 4023800b9a1b646fa6ec6a6aa761f94d
SHA1 5fcb49d9bdccd109ab3b4244134bcc128cdc71d0
SHA256 ddb1cf63359f5158e819635b201b64dde2e10d6a5a5f8fca863c5d2225674fcc
CRC32 B7FE0E94
Ssdeep 6144:Kbrarc3ElhnldCOPs/qg1PAZvzfZEp2o4N1:Kbr0kEhdTk/nAZbwd4v
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ddb1cf63359f5158e819635b201b64dde2e10d6a5a5f8fca863c5d2225674fcc
Download

Comments



No comments posted

Processing ( 4.657 seconds )

  • 2.85 BehaviorAnalysis
  • 0.792 Static
  • 0.424 CAPE
  • 0.208 TargetInfo
  • 0.206 ProcDump
  • 0.104 TrID
  • 0.029 Deduplicate
  • 0.022 Strings
  • 0.01 Dropped
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.262 seconds )

  • 0.151 injection_createremotethread
  • 0.139 InjectionCreateRemoteThread
  • 0.136 Doppelganging
  • 0.135 antidebug_guardpages
  • 0.111 injection_runpe
  • 0.11 stealth_timeout
  • 0.109 InjectionProcessHollowing
  • 0.099 InjectionInterProcess
  • 0.081 decoy_document
  • 0.073 api_spamming
  • 0.055 stack_pivot
  • 0.012 antiav_detectreg
  • 0.006 antidbg_windows
  • 0.005 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 rat_nanocore
  • 0.001 exploit_getbasekerneladdress
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 ransomware_message
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn

Reporting ( 0.017 seconds )

  • 0.016 SubmitCAPE
  • 0.001 CompressResults
Task ID 87734
Mongo ID 5d52e21ca391c3d188a52dac
Cuckoo release 1.3-CAPE
Delete