Analysis Report (appproved)WJO-TT180,pdf.exe

Overview

General Information

Sample Name:	(appproved)WJO-TT180,pdf.exe
Analysis ID:	356452
MD5:	e47851c94fdefd958cfe16af2af3661a
SHA1:	7e027a9fadf5f4d9c1bb65c68db34cc5318353b0
SHA256:	92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3
Tags:	exeSnakeKeylogger
Most interesting Screenshot:

Detection

Snake Keylogger

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Injects a PE file into a foreign processes

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@aruscomext.comBhnCP!@g6smtp.aruscomext.com"}}

Multi AV Scanner detection for submitted file

Source: (appproved)WJO-TT180,pdf.exe	Virustotal: Detection: 18%			Perma Link
Source: (appproved)WJO-TT180,pdf.exe	ReversingLabs: Detection: 12%

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.6:49732 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 131.186.161.70 131.186.161.70
Source: Joe Sandbox View	IP Address: 104.21.19.200 104.21.19.200

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.6:49732 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.334003174.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.333466058.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.333585529.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comx
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.app
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.349835607.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.K9
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338965985.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339262342.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlU
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339262342.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlV
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337378048.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com#vn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337499341.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337540831.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comct0
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338549853.000000000555C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-uU
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338241457.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.-
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.G
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comradq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comuct2
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337499341.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypox
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.349835607.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343079140.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342689335.000000000555E000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342629017.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347344265.000000000557E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlsd9#
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343474220.000000000557E000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343459978.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344398062.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersM
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344134436.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343035874.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343459978.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344134436.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma1
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336284668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/C
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336561668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnV
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnade
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnei
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336828517.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh-c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336642030.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnicrk
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336561668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn-u~
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnnie
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336642030.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnnie9
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnradq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347435048.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347435048.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmjsv
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347237992.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347777721.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347020395.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.1
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.332645551.0000000005542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.332645551.0000000005542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339003661.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comM
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336355922.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336219913.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.c8
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336098960.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFe:
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336284668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.335938249.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krom
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336098960.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338069889.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344532501.0000000005567000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342050521.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de2
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.341818314.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dea
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnh
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnicr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.U
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app4
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597496053.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFF2D0	0_2_00BFF2D0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFF2C0	0_2_00BFF2C0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFD20C	0_2_00BFD20C
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08846010	0_2_08846010
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08840011	0_2_08840011
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08840040	0_2_08840040
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08841D7D	0_2_08841D7D
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD8300	9_2_02AD8300
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD0580	9_2_02AD0580
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD88D8	9_2_02AD88D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02ADB2B0	9_2_02ADB2B0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD7B98	9_2_02AD7B98
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02ADDD08	9_2_02ADDD08
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD0BE0	9_2_02AD0BE0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD10F8	9_2_02AD10F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD1612	9_2_02AD1612
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD59E0	9_2_02AD59E0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF4D8	9_2_057EF4D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EE950	9_2_057EE950
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF478	9_2_057EF478
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E1C50	9_2_057E1C50
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E37F0	9_2_057E37F0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E3FF0	9_2_057E3FF0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E47F0	9_2_057E47F0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4FF0	9_2_057E4FF0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E37D3	9_2_057E37D3
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E3F92	9_2_057E3F92
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4790	9_2_057E4790
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4F90	9_2_057E4F90
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0622	9_2_057E0622
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0EF8	9_2_057E0EF8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0EA1	9_2_057E0EA1
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E7940	9_2_057E7940
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E7934	9_2_057E7934
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF1C9	9_2_057EF1C9
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E78BC	9_2_057E78BC
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E08A8	9_2_057E08A8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440040	9_2_06440040
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064440D8	9_2_064440D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440828	9_2_06440828
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064448C0	9_2_064448C0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06442970	9_2_06442970
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064417F8	9_2_064417F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441010	9_2_06441010
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06443158	9_2_06443158
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441FE0	9_2_06441FE0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06443940	9_2_06443940
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064407C8	9_2_064407C8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440006	9_2_06440006
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06444128	9_2_06444128
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440FB0	9_2_06440FB0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064448B1	9_2_064448B1
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_0644290F	9_2_0644290F
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441798	9_2_06441798
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064430F8	9_2_064430F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441F81	9_2_06441F81

PE file contains strange resources

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000000.330064109.0000000000245000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.417012574.0000000002501000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEEO8YB3M.exe4 vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.425891507.00000000084F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.595952582.00000000009E5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.595772513.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEEO8YB3M.exe4 vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.596012564.0000000000D86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe

Uses 32bit PE files

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\(appproved)WJO-TT180,pdf.exe.log

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe	Virustotal: Detection: 18%
Source: (appproved)WJO-TT180,pdf.exe	ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe 'C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_088487D9 push E9FFFFFFh; iretd		0_2_088487EE
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E2C72 push 8B000005h; retf		9_2_057E2C77

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe TID: 6836

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Memory written: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.161.70	unknown	United States		33517	DYNDNSUS	false
104.21.19.200	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
freegeoip.app	104.21.19.200	true
checkip.dyndns.com	131.186.161.70	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@aruscomext.comBhnCP!@g6smtp.aruscomext.com"}}

Multi AV Scanner detection for submitted file

Source: (appproved)WJO-TT180,pdf.exe	Virustotal: Detection: 18%			Perma Link
Source: (appproved)WJO-TT180,pdf.exe	ReversingLabs: Detection: 12%

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses 32bit PE files

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.6:49732 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 131.186.161.70 131.186.161.70
Source: Joe Sandbox View	IP Address: 104.21.19.200 104.21.19.200

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.6:49732 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.334003174.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.333466058.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.333585529.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comx
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.app
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.349835607.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.K9
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338965985.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339262342.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlU
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339262342.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlV
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337378048.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com#vn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337499341.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337540831.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comct0
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338549853.000000000555C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-uU
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338241457.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337602568.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.-
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.G
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comradq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337929066.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comuct2
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337499341.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypox
Source: (appproved)WJO-TT180,pdf.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.349835607.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343079140.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342689335.000000000555E000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342629017.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347344265.000000000557E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlsd9#
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343474220.000000000557E000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343459978.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344398062.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersM
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344134436.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343035874.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.343459978.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344134436.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma1
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.416798330.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336284668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/C
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336561668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnV
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnade
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnei
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336828517.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh-c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336642030.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnicrk
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336561668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn-u~
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnnie
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336642030.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnnie9
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336906415.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnradq
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347435048.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347435048.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmjsv
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347237992.000000000555B000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347777721.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.347020395.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.1
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000000.00000003.332645551.0000000005542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.332645551.0000000005542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.339003661.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comM
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336355922.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336219913.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.c8
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336098960.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFe:
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336284668.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.335938249.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krom
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.336098960.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.338069889.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.344532501.0000000005567000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.342050521.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de2
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.424947613.0000000006752000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.341818314.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dea
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnh
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnicr
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000003.337329360.000000000555B000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.U
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597310595.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app4
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp, (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597496053.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597436548.0000000002D32000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFF2D0	0_2_00BFF2D0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFF2C0	0_2_00BFF2C0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_00BFD20C	0_2_00BFD20C
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08846010	0_2_08846010
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08840011	0_2_08840011
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08840040	0_2_08840040
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_08841D7D	0_2_08841D7D
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD8300	9_2_02AD8300
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD0580	9_2_02AD0580
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD88D8	9_2_02AD88D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02ADB2B0	9_2_02ADB2B0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD7B98	9_2_02AD7B98
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02ADDD08	9_2_02ADDD08
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD0BE0	9_2_02AD0BE0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD10F8	9_2_02AD10F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD1612	9_2_02AD1612
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_02AD59E0	9_2_02AD59E0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF4D8	9_2_057EF4D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EE950	9_2_057EE950
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF478	9_2_057EF478
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E1C50	9_2_057E1C50
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E37F0	9_2_057E37F0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E3FF0	9_2_057E3FF0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E47F0	9_2_057E47F0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4FF0	9_2_057E4FF0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E37D3	9_2_057E37D3
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E3F92	9_2_057E3F92
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4790	9_2_057E4790
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E4F90	9_2_057E4F90
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0622	9_2_057E0622
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0EF8	9_2_057E0EF8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E0EA1	9_2_057E0EA1
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E7940	9_2_057E7940
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E7934	9_2_057E7934
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057EF1C9	9_2_057EF1C9
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E78BC	9_2_057E78BC
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E08A8	9_2_057E08A8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440040	9_2_06440040
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064440D8	9_2_064440D8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440828	9_2_06440828
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064448C0	9_2_064448C0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06442970	9_2_06442970
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064417F8	9_2_064417F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441010	9_2_06441010
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06443158	9_2_06443158
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441FE0	9_2_06441FE0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06443940	9_2_06443940
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064407C8	9_2_064407C8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440006	9_2_06440006
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06444128	9_2_06444128
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06440FB0	9_2_06440FB0
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064448B1	9_2_064448B1
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_0644290F	9_2_0644290F
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441798	9_2_06441798
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_064430F8	9_2_064430F8
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_06441F81	9_2_06441F81

PE file contains strange resources

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000000.330064109.0000000000245000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.417012574.0000000002501000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEEO8YB3M.exe4 vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000000.00000002.425891507.00000000084F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.595952582.00000000009E5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.595772513.0000000000466000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEEO8YB3M.exe4 vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.596012564.0000000000D86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs (appproved)WJO-TT180,pdf.exe
Source: (appproved)WJO-TT180,pdf.exe	Binary or memory string: OriginalFilename: vs (appproved)WJO-TT180,pdf.exe

Uses 32bit PE files

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\(appproved)WJO-TT180,pdf.exe.log

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe	Virustotal: Detection: 18%
Source: (appproved)WJO-TT180,pdf.exe	ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe 'C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: (appproved)WJO-TT180,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 0_2_088487D9 push E9FFFFFFh; iretd		0_2_088487EE
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Code function: 9_2_057E2C72 push 8B000005h; retf		9_2_057E2C77

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected Beds Obfuscator

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe TID: 6836

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Memory written: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Process created: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe {path}

Jump to behavior

Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: (appproved)WJO-TT180,pdf.exe, 00000009.00000002.597169526.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\(appproved)WJO-TT180,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY

Remote Access Functionality:

Yara detected Snake Keylogger

Source: Yara match	File source: 00000000.00000002.419975488.0000000003509000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.595511779.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420374422.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: (appproved)WJO-TT180,pdf.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.3549528.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.(appproved)WJO-TT180,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.(appproved)WJO-TT180,pdf.exe.37023d8.1.raw.unpack, type: UNPACKEDPE

ID:	356452
Product:	CloudBasic
Start time:	08:10:56
Start date:	23.02.2021
Sample:	(appproved)WJO-TT180,pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e47851c94fdefd958cfe16af2af3661a
SHA1:	7e027a9fadf5f4d9c1bb65c68db34cc5318353b0
SHA256:	92244ef8477d782361d87f7571458bccf8de2af4cccfd738bde234d91216fbe3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report (appproved)WJO-TT180,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs