Analysis Report HT210525 IV Quotation.exe

Overview

General Information

Sample Name:	HT210525 IV Quotation.exe
Analysis ID:	433221
MD5:	8ea3cb0d331f0a8414e5b2ecfce3abf3
SHA1:	4c690653287b4b783b46ec4991d71d81ca527dbc
SHA256:	e2b3c7e7061e68aa31813371c589b7b0b11b12750fab1ce87f5ea7cca9740563
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SGDT)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe

ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: HT210525 IV Quotation.exe	Virustotal: Detection: 39%			Perma Link
Source: HT210525 IV Quotation.exe	ReversingLabs: Detection: 58%

Antivirus or Machine Learning detection for unpacked file

Source: 13.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 13.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack

Uses 32bit PE files

Source: HT210525 IV Quotation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: HT210525 IV Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
Source:	Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr

Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://IsXVMb.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.442922182.0000000002A91000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HT210525 IV Quotation.exe, 00000000.00000003.335108063.0000000005C2E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.340397452.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HT210525 IV Quotation.exe, 00000000.00000003.341632770.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#2Oc
Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HT210525 IV Quotation.exe, 00000000.00000003.341139830.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: HT210525 IV Quotation.exe, 00000000.00000003.341394504.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlp
Source: HT210525 IV Quotation.exe, 00000000.00000003.338875299.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/n
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HT210525 IV Quotation.exe, 00000000.00000003.341374586.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersK2
Source: HT210525 IV Quotation.exe, 00000000.00000003.339726935.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersU2
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.como$
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.334510475.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.334031759.0000000005C2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.333367785.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HT210525 IV Quotation.exe, 00000000.00000003.333302020.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/nt
Source: HT210525 IV Quotation.exe, 00000000.00000003.333988336.0000000005C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-da
Source: HT210525 IV Quotation.exe, 00000000.00000003.334431042.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnak
Source: HT210525 IV Quotation.exe, 00000000.00000003.333982038.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt-p
Source: HT210525 IV Quotation.exe, 00000000.00000003.333853304.0000000005C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnuct
Source: HT210525 IV Quotation.exe, 00000000.00000003.343375719.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HT210525 IV Quotation.exe, 00000000.00000003.343733436.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krg
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krny
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HT210525 IV Quotation.exe, 00000000.00000003.344381296.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kru
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslntp
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de#
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFr(
Source: HT210525 IV Quotation.exe, 00000000.00000003.338545084.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dewa
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: HT210525 IV Quotation.exe, 00000000.00000003.335295630.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: HT210525 IV Quotation.exe, 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: HT210525 IV Quotation.exe, 00000000.00000002.442105087.0000000000DD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.cs	Large array initialization: .cctor: array initializer size 12026
Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.cs	Large array initialization: .cctor: array initializer size 12026

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: HT210525 IV Quotation.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC01A4 NtQueryInformationProcess,	0_2_00DC01A4
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC33A0 NtQueryInformationProcess,	0_2_00DC33A0
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA2BF8 NtUnmapViewOfSection,	0_2_04AA2BF8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA2BF0 NtUnmapViewOfSection,	0_2_04AA2BF0

Detected potential crypto function

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC2C78	0_2_00DC2C78
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC3170	0_2_00DC3170
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC36C8	0_2_00DC36C8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC0471	0_2_00DC0471
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC3161	0_2_00DC3161
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC36B8	0_2_00DC36B8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0EB0	0_2_04AA0EB0
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0EA1	0_2_04AA0EA1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0881	0_2_04AA0881
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA10EC	0_2_04AA10EC
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0007	0_2_04AA0007
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0040	0_2_04AA0040
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA1140	0_2_04AA1140
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA115C	0_2_04AA115C
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0570EC48	0_2_0570EC48
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_057094A8	0_2_057094A8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05709498	0_2_05709498
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708E30	0_2_05708E30
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05705638	0_2_05705638
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708E21	0_2_05708E21
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05705628	0_2_05705628
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708B85	0_2_05708B85
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708B88	0_2_05708B88
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0570D278	0_2_0570D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4860	13_2_014B4860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4790	13_2_014B4790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4810	13_2_014B4810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014BDA20	13_2_014BDA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB7538	13_2_05FB7538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB94F8	13_2_05FB94F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB6920	13_2_05FB6920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB6C68	13_2_05FB6C68

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

PE file contains strange resources

Source: HT210525 IV Quotation.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KEehxxQTfXmag.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: HT210525 IV Quotation.exe	Binary or memory string: OriginalFilename vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.454899626.000000000EBC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.454521545.0000000008F10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCXJCmeIpHLhzNZNIEmFUISrE.exe4 vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.443521703.0000000002BE5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe	Binary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe

Uses 32bit PE files

Source: HT210525 IV Quotation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@12/8@0/0

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCED.tmp

Jump to behavior

Source: HT210525 IV Quotation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HT210525 IV Quotation.exe	Virustotal: Detection: 39%
Source: HT210525 IV Quotation.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File read: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HT210525 IV Quotation.exe 'C:\Users\user\Desktop\HT210525 IV Quotation.exe'
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HT210525 IV Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HT210525 IV Quotation.exe

Static file information: File size 1129472 > 1048576

Source: HT210525 IV Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
Source:	Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00545746 push esi; ret	0_2_00545747
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0054241B push esi; retf	0_2_00542439
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA1831 push edi; ret	0_2_04AA1833

Source: initial sample	Static PE information: section name: .text entropy: 7.09066912036
Source: initial sample	Static PE information: section name: .text entropy: 7.09066912036

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	File created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SGDT)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Code function: 0_2_00DC7B19 sgdt fword ptr [eax]

0_2_00DC7B19

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2008			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7784			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe TID: 6752	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe TID: 6736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: HT210525 IV Quotation.exe, 00000000.00000002.442341794.0000000000E5E000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: HT210525 IV Quotation.exe, 00000000.00000002.442341794.0000000000E5E000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B30008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Users\user\Desktop\HT210525 IV Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_05FB58F4 GetUserNameW,

13_2_05FB58F4

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
Source: Yara match	File source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
Source: Yara match	File source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe

ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: HT210525 IV Quotation.exe	Virustotal: Detection: 39%			Perma Link
Source: HT210525 IV Quotation.exe	ReversingLabs: Detection: 58%

Antivirus or Machine Learning detection for unpacked file

Source: 13.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 13.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack

Uses 32bit PE files

Source: HT210525 IV Quotation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: HT210525 IV Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
Source:	Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr

Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: http://IsXVMb.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.442922182.0000000002A91000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HT210525 IV Quotation.exe, 00000000.00000003.335108063.0000000005C2E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.340397452.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HT210525 IV Quotation.exe, 00000000.00000003.341632770.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#2Oc
Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HT210525 IV Quotation.exe, 00000000.00000003.341139830.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: HT210525 IV Quotation.exe, 00000000.00000003.341394504.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlp
Source: HT210525 IV Quotation.exe, 00000000.00000003.338875299.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/n
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HT210525 IV Quotation.exe, 00000000.00000003.341374586.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersK2
Source: HT210525 IV Quotation.exe, 00000000.00000003.339726935.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersU2
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.como$
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.334510475.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.334031759.0000000005C2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.333367785.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HT210525 IV Quotation.exe, 00000000.00000003.333302020.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/nt
Source: HT210525 IV Quotation.exe, 00000000.00000003.333988336.0000000005C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-da
Source: HT210525 IV Quotation.exe, 00000000.00000003.334431042.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnak
Source: HT210525 IV Quotation.exe, 00000000.00000003.333982038.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt-p
Source: HT210525 IV Quotation.exe, 00000000.00000003.333853304.0000000005C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnuct
Source: HT210525 IV Quotation.exe, 00000000.00000003.343375719.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HT210525 IV Quotation.exe, 00000000.00000003.343733436.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krg
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krny
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HT210525 IV Quotation.exe, 00000000.00000003.344381296.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn
Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kru
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslntp
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de#
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFr(
Source: HT210525 IV Quotation.exe, 00000000.00000003.338545084.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dewa
Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: HT210525 IV Quotation.exe, 00000000.00000003.335295630.0000000005C4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: HT210525 IV Quotation.exe, 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: HT210525 IV Quotation.exe, 00000000.00000002.442105087.0000000000DD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.cs	Large array initialization: .cctor: array initializer size 12026
Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.cs	Large array initialization: .cctor: array initializer size 12026

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: HT210525 IV Quotation.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC01A4 NtQueryInformationProcess,	0_2_00DC01A4
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC33A0 NtQueryInformationProcess,	0_2_00DC33A0
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA2BF8 NtUnmapViewOfSection,	0_2_04AA2BF8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA2BF0 NtUnmapViewOfSection,	0_2_04AA2BF0

Detected potential crypto function

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC2C78	0_2_00DC2C78
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC3170	0_2_00DC3170
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC36C8	0_2_00DC36C8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC0471	0_2_00DC0471
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC3161	0_2_00DC3161
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00DC36B8	0_2_00DC36B8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0EB0	0_2_04AA0EB0
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0EA1	0_2_04AA0EA1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0881	0_2_04AA0881
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA10EC	0_2_04AA10EC
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0007	0_2_04AA0007
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA0040	0_2_04AA0040
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA1140	0_2_04AA1140
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA115C	0_2_04AA115C
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0570EC48	0_2_0570EC48
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_057094A8	0_2_057094A8
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05709498	0_2_05709498
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708E30	0_2_05708E30
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05705638	0_2_05705638
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708E21	0_2_05708E21
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05705628	0_2_05705628
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708B85	0_2_05708B85
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_05708B88	0_2_05708B88
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0570D278	0_2_0570D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4860	13_2_014B4860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4790	13_2_014B4790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014B4810	13_2_014B4810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_014BDA20	13_2_014BDA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB7538	13_2_05FB7538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB94F8	13_2_05FB94F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB6920	13_2_05FB6920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05FB6C68	13_2_05FB6C68

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

PE file contains strange resources

Source: HT210525 IV Quotation.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KEehxxQTfXmag.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: HT210525 IV Quotation.exe	Binary or memory string: OriginalFilename vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.454899626.000000000EBC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.454521545.0000000008F10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCXJCmeIpHLhzNZNIEmFUISrE.exe4 vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.443521703.0000000002BE5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs HT210525 IV Quotation.exe
Source: HT210525 IV Quotation.exe	Binary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe

Uses 32bit PE files

Source: HT210525 IV Quotation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@12/8@0/0

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCED.tmp

Jump to behavior

Source: HT210525 IV Quotation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HT210525 IV Quotation.exe	Virustotal: Detection: 39%
Source: HT210525 IV Quotation.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File read: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HT210525 IV Quotation.exe 'C:\Users\user\Desktop\HT210525 IV Quotation.exe'
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HT210525 IV Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HT210525 IV Quotation.exe

Static file information: File size 1129472 > 1048576

Source: HT210525 IV Quotation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
Source:	Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Unpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_00545746 push esi; ret	0_2_00545747
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_0054241B push esi; retf	0_2_00542439
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Code function: 0_2_04AA1831 push edi; ret	0_2_04AA1833

Source: initial sample	Static PE information: section name: .text entropy: 7.09066912036
Source: initial sample	Static PE information: section name: .text entropy: 7.09066912036

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	File created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion: