Loading ...

Play interactive tourEdit tour

Windows Analysis Report IN00043Q1098157INBOM_PDF.scr

Overview

General Information

Sample Name:IN00043Q1098157INBOM_PDF.scr (renamed file extension from scr to exe)
Analysis ID:483913
MD5:c2ce5a6ac6a3f64917af0f6ea60c04e5
SHA1:4f04822fbc2e6c2cbcd529ffbf13fe0e69d0ef8b
SHA256:4220609cfa7ee56eb45421d8c08257f828c06bb8ebf0bc602cff01609107c6c4
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • IN00043Q1098157INBOM_PDF.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe' MD5: C2CE5A6AC6A3F64917AF0F6EA60C04E5)
    • powershell.exe (PID: 6652 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 5364 cmdline: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "z6@pa-ksa.com", "Password": "7mgTt7HCBo3_tl@", "Host": "secure300.inmotionhosting.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                27.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  27.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 9 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine|base64offset|contains: Jy, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe' , ParentImage: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe, ParentProcessId: 6352, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, ProcessId: 6652
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762211537809114.6652.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "z6@pa-ksa.com", "Password": "7mgTt7HCBo3_tl@", "Host": "secure300.inmotionhosting.com"}
                      Machine Learning detection for sampleShow sources
                      Source: IN00043Q1098157INBOM_PDF.exeJoe Sandbox ML: detected
                      Source: 27.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: IN00043Q1098157INBOM_PDF.exe
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe.0.dr
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: IN00043Q1098157INBOM_PDF.exe
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://ISXesm.com
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://james.newtonking.com/projects/json
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0K
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0N
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngH
                      Source: powershell.exe, 00000004.00000002.345882415.0000000004771000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224188494.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224137907.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html:3
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.440850247.0000000001867000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designersa6
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comX
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF-
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituFQ
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.219288579.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/n
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oH
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vnoJ
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/waC
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterH
                      Source: powershell.exe, 00000004.00000002.349199494.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.newtonsoft.com/json
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438643894.00000000013E8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D520500_2_00D52050
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162C1340_2_0162C134
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162E5680_2_0162E568
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162E5780_2_0162E578
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D56F3F0_2_00D56F3F
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D55DE20_2_00D55DE2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_047508584_2_04750858
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07858DE04_2_07858DE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078500144_2_07850014
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078500404_2_07850040
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B46E027_2_053B46E0
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B465027_2_053B4650
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B469227_2_053B4692
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B46D227_2_053B46D2
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053BD35027_2_053BD350
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A753027_2_061A7530
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A90F027_2_061A90F0
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A691827_2_061A6918
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A6C6027_2_061A6C60
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilename vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.439411203.0000000001530000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameGexjantftnrclnlpo.dllD vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBqppZujFnZRDUhZjEPpNfXEpLZgMl.exe4 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438643894.00000000013E8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.442249065.0000000004191000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAtexwtottfz.dll" vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000000.213953537.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000000.213953537.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSSGG1.exe: vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilenameSSGG1.exe: vs IN00043Q1098157INBOM_PDF.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe A1661DB1B74B876A7E789FC6EBB4E34BEAFA2B48A08E13FD18927FBECC9D2AC4
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe'
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20Jump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IN00043Q1098157INBOM_PDF.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winEXE@6/7@0/0
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: IN00043Q1098157INBOM_PDF.exe
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe.0.dr
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: IN00043Q1098157INBOM_PDF.exe
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A7EFA push 8BF04589h; iretd 27_2_061A7F84
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 0xBA8C4F5A [Wed Mar 6 01:05:30 2069 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.06744291098
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to dropped file
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe TID: 6356Thread sleep time: -34000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe TID: 6388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5592Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6524Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6496Thread sleep count: 284 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6496Thread sleep count: 9581 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2062Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1443Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWindow / User API: threadDelayed 9581Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000004.00000002.347257927.0000000004BB2000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: powershell.exe, 00000004.00000002.347257927.0000000004BB2000.00000004.00000001.sdmpBinary or memory string: i:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438821139.0000000001421000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438821139.0000000001421000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20Jump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN0