Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request.pdf.scr

Overview

General Information

Sample Name:Quotation Request.pdf.scr (renamed file extension from scr to exe)
Analysis ID:501145
MD5:95d884c21021e67ea7e9e204a0488fa3
SHA1:38786584d7caf1b36e7b72bf85099a82589c48a6
SHA256:b7e4d5626ef15e8584e644e1bfaade75c1faaa54549bde7560f44bd3550281de
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Quotation Request.pdf.exe (PID: 4556 cmdline: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' MD5: 95D884C21021E67EA7E9E204A0488FA3)
    • schtasks.exe (PID: 2812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xbc275:$x1: NanoCore.ClientPluginHost
      • 0xeea95:$x1: NanoCore.ClientPluginHost
      • 0xbc2b2:$x2: IClientNetworkHost
      • 0xeead2:$x2: IClientNetworkHost
      • 0xbfde5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xf2605:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xbbfdd:$a: NanoCore
        • 0xbbfed:$a: NanoCore
        • 0xbc221:$a: NanoCore
        • 0xbc235:$a: NanoCore
        • 0xbc275:$a: NanoCore
        • 0xee7fd:$a: NanoCore
        • 0xee80d:$a: NanoCore
        • 0xeea41:$a: NanoCore
        • 0xeea55:$a: NanoCore
        • 0xeea95:$a: NanoCore
        • 0xbc03c:$b: ClientPlugin
        • 0xbc23e:$b: ClientPlugin
        • 0xbc27e:$b: ClientPlugin
        • 0xee85c:$b: ClientPlugin
        • 0xeea5e:$b: ClientPlugin
        • 0xeea9e:$b: ClientPlugin
        • 0xbc163:$c: ProjectData
        • 0xee983:$c: ProjectData
        • 0x1efe33:$c: ProjectData
        • 0x265653:$c: ProjectData
        • 0xbcb6a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Quotation Request.pdf.exe.2d69644.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeReversingLabs: Detection: 11%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.7:49756 -> 185.19.85.137:6051
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.247763670.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Quotation Request.pdf.exe, 00000000.00000003.256449463.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Quotation Request.pdf.exe, 00000000.00000003.257539567.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsk
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.247318440.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: Quotation Request.pdf.exe, 00000000.00000003.247222256.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Quotation Request.pdf.exe, 00000000.00000003.250899369.00000000051A4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ru
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
            Source: Quotation Request.pdf.exe, 00000000.00000003.250354410.00000000051B1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
            Source: Quotation Request.pdf.exe, 00000000.00000003.249579657.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-cM
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmB
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.252824955.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Pq
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
            Source: Quotation Request.pdf.exe, 00000000.00000003.253130198.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.253855605.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.253868234.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.252541339.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: Quotation Request.pdf.exe, 00000000.00000003.252432324.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnta;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de9;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deax;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Quotation Request.pdf.exe, 00000000.00000003.251414571.00000000051AE000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn5
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_006443510_2_00644351
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB2E090_2_00FB2E09
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D86AB0_2_028D86AB
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D01100_2_028D0110
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E880_2_028D2E88
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E770_2_028D2E77
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D30D00_2_028D30D0
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D01030_2_028D0103
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000000.245539233.0000000000642000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000002.280644583.00000000070A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\Quotation Request.pdf.exeJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request.pdf.exe 'C:\Users\user\Desktop\Quotation Request.pdf.exe'
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAC55.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/9@25/2
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Quotation Request.pdf.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eqNjYDmhJoX.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F1 push ebx; retf 0_2_00FB61F2
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F4 push ebx; retf 0_2_00FB61F6
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB73D4 pushad ; iretd 0_2_00FB73E9
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: pdf.exeStatic PE information: Quotation Request.pdf.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX