Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request.pdf.scr

Overview

General Information

Sample Name:Quotation Request.pdf.scr (renamed file extension from scr to exe)
Analysis ID:501145
MD5:95d884c21021e67ea7e9e204a0488fa3
SHA1:38786584d7caf1b36e7b72bf85099a82589c48a6
SHA256:b7e4d5626ef15e8584e644e1bfaade75c1faaa54549bde7560f44bd3550281de
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Quotation Request.pdf.exe (PID: 4556 cmdline: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' MD5: 95D884C21021E67EA7E9E204A0488FA3)
    • schtasks.exe (PID: 2812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xbc275:$x1: NanoCore.ClientPluginHost
      • 0xeea95:$x1: NanoCore.ClientPluginHost
      • 0xbc2b2:$x2: IClientNetworkHost
      • 0xeead2:$x2: IClientNetworkHost
      • 0xbfde5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xf2605:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xbbfdd:$a: NanoCore
        • 0xbbfed:$a: NanoCore
        • 0xbc221:$a: NanoCore
        • 0xbc235:$a: NanoCore
        • 0xbc275:$a: NanoCore
        • 0xee7fd:$a: NanoCore
        • 0xee80d:$a: NanoCore
        • 0xeea41:$a: NanoCore
        • 0xeea55:$a: NanoCore
        • 0xeea95:$a: NanoCore
        • 0xbc03c:$b: ClientPlugin
        • 0xbc23e:$b: ClientPlugin
        • 0xbc27e:$b: ClientPlugin
        • 0xee85c:$b: ClientPlugin
        • 0xeea5e:$b: ClientPlugin
        • 0xeea9e:$b: ClientPlugin
        • 0xbc163:$c: ProjectData
        • 0xee983:$c: ProjectData
        • 0x1efe33:$c: ProjectData
        • 0x265653:$c: ProjectData
        • 0xbcb6a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Quotation Request.pdf.exe.2d69644.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeReversingLabs: Detection: 11%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.7:49756 -> 185.19.85.137:6051
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.247763670.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Quotation Request.pdf.exe, 00000000.00000003.256449463.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Quotation Request.pdf.exe, 00000000.00000003.257539567.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsk
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.247318440.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: Quotation Request.pdf.exe, 00000000.00000003.247222256.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Quotation Request.pdf.exe, 00000000.00000003.250899369.00000000051A4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ru
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
            Source: Quotation Request.pdf.exe, 00000000.00000003.250354410.00000000051B1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
            Source: Quotation Request.pdf.exe, 00000000.00000003.249579657.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-cM
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmB
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.252824955.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Pq
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
            Source: Quotation Request.pdf.exe, 00000000.00000003.253130198.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.253855605.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.253868234.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.252541339.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: Quotation Request.pdf.exe, 00000000.00000003.252432324.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnta;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de9;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deax;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Quotation Request.pdf.exe, 00000000.00000003.251414571.00000000051AE000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn5
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00644351
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB2E09
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D86AB
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D0110
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E88
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E77
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D30D0
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D0103
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000000.245539233.0000000000642000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000002.280644583.00000000070A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\Quotation Request.pdf.exeJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request.pdf.exe 'C:\Users\user\Desktop\Quotation Request.pdf.exe'
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAC55.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/9@25/2
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Quotation Request.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Quotation Request.pdf.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eqNjYDmhJoX.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F1 push ebx; retf
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F4 push ebx; retf
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB73D4 pushad ; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: pdf.exeStatic PE information: Quotation Request.pdf.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.2d69644.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Quotation Request.pdf.exe PID: 4556, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exe TID: 4356Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 703
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 638
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: ACF008
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000007.00000003.327061567.0000000001113000.00000004.00000001.sdmpBinary or memory string: Program ManagerP8
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection212Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quotation Request.pdf.exe11%ReversingLabsByteCode-MSIL.Trojan.APost

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe11%ReversingLabsByteCode-MSIL.Trojan.APost

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            harold.2waky.com15%VirustotalBrowse
            windowsupdate.s.llnwi.net0%VirustotalBrowse
            harold.accesscam.org5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htmB0%Avira URL Cloudsafe
            http://www.tiro.comslnta;0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn50%Avira URL Cloudsafe
            http://www.fonts.com-0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/20%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/90%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//C0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            harold.accesscam.org0%Avira URL Cloudsafe
            http://www.founder.com.cn/cna0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0Pq0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.founder.com.cn/cnZ0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.fontbureau.comalsk0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/U0%Avira URL Cloudsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fonts.comx0%URL Reputationsafe
            http://www.founder.com.cn/cnr-cM0%Avira URL Cloudsafe
            http://www.fontbureau.com=0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0C0%Avira URL Cloudsafe
            http://www.urwpp.deax;0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.founder.com.cn/cn/ru0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.urwpp.de9;0%Avira URL Cloudsafe
            http://www.fontbureau.coma20%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
            http://www.fontbureau.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            harold.2waky.com0%Avira URL Cloudsafe
            http://www.fontbureau.comalic0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            harold.2waky.com
            		185.19.85.137
            		truetrueunknown
            windowsupdate.s.llnwi.net
            		178.79.242.0
            		truefalseunknown
            harold.accesscam.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            harold.accesscam.orgtrue
            • Avira URL Cloud: safe
            		unknown
            harold.2waky.comtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmBQuotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comslnta;Quotation Request.pdf.exe, 00000000.00000003.252432324.00000000051BB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.zhongyicts.com.cn5Quotation Request.pdf.exe, 00000000.00000003.251414571.00000000051AE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fonts.com-Quotation Request.pdf.exe, 00000000.00000003.247318440.00000000051DD000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.tiro.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/2Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/9Quotation Request.pdf.exe, 00000000.00000003.253130198.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.collada.org/2005/11/COLLADASchema9DoneQuotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/9Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.247763670.00000000051DD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp//CQuotation Request.pdf.exe, 00000000.00000003.252824955.00000000051A6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnaQuotation Request.pdf.exe, 00000000.00000003.250354410.00000000051B1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comQuotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/Y0PqQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sandoll.co.krQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnZQuotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comalskQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/UQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deQuotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comQuotation Request.pdf.exe, 00000000.00000003.253855605.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.253868234.00000000051BF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comxQuotation Request.pdf.exe, 00000000.00000003.247222256.00000000051DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnr-cMQuotation Request.pdf.exe, 00000000.00000003.249579657.00000000051A3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com=Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comFQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/UQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0CQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deax;Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.tiro.comlicQuotation Request.pdf.exe, 00000000.00000003.252541339.00000000051BB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/ruQuotation Request.pdf.exe, 00000000.00000003.250899369.00000000051A4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.come.comQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comXQuotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpfalse
                            		unknown
                            http://www.carterandcone.comlQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.de9;Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.coma2Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnQuotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlQuotation Request.pdf.exe, 00000000.00000003.257539567.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/qQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comtQuotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/oQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalicQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/Quotation Request.pdf.exe, 00000000.00000003.256449463.00000000051BF000.00000004.00000001.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.19.85.137
                                    		harold.2waky.comSwitzerland
                                    		48971DATAWIRE-ASCHtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:501145
                                    Start date:12.10.2021
                                    Start time:15:48:13
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 4s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Quotation Request.pdf.scr (renamed file extension from scr to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:26
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@6/9@25/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 0.9% (good quality ratio 0.7%)
                                    • Quality average: 70.6%
                                    • Quality standard deviation: 36.8%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • TCP Packets have been reduced to 100
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.199.120.182, 20.199.120.151, 95.100.216.89, 20.82.210.154, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.199.120.85, 131.253.33.200, 13.107.22.200, 20.50.102.62
                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, vip3-wns2-par02p.wns.notify.trafficmanager.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:49:19API Interceptor1x Sleep call for process: Quotation Request.pdf.exe modified
                                    15:49:22API Interceptor898x Sleep call for process: RegSvcs.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    185.19.85.137Proof of payment.jpg.exeGet hashmaliciousBrowse
                                      Proof of payment.jpg.exeGet hashmaliciousBrowse
                                        Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                          Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                            PROFORMA INVOICE 20210823.pdf.exeGet hashmaliciousBrowse
                                              New Proforma Invoice20210630.xlxs.exeGet hashmaliciousBrowse
                                                Proforma Invoice20210625.pdf.exeGet hashmaliciousBrowse
                                                  PcdEZG6zDS.exeGet hashmaliciousBrowse
                                                    sfTZCyMKuC.exeGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      harold.2waky.comProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      HxXHmM0T9f.exeGet hashmaliciousBrowse
                                                      • 23.146.242.147
                                                      Request For Quotation.jarGet hashmaliciousBrowse
                                                      • 23.146.242.147
                                                      QUOTE.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Payment proof.jpg.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Proof Of Payment.jpg.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Proof of payment.pdf.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Payment.pdf.exeGet hashmaliciousBrowse
                                                      • 91.193.75.29
                                                      Payment Confirmation.exeGet hashmaliciousBrowse
                                                      • 185.165.153.213
                                                      windowsupdate.s.llnwi.netProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      jjBv8SpZXm.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      COPIA DE PAGO.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      Dekont.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      New Order Inquiry No.96883,pdf.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      orde443123.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      Invoice-514777_20211011.xlsbGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      dorlla.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      photos jpg.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      2xYyRwsd4z.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      client.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      Shipping Documents.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      preuve de paiement.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      QUOTATIO.EXEGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      kR8No6snIq.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      DHL 299248 AWB 171021.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      Order_specs_sheet.pdf.jarGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      pidHTSIGEi8DrAmaYu9K8ghN89.dllGet hashmaliciousBrowse
                                                      • 178.79.242.0

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      DATAWIRE-ASCHProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      MT103 10.11.pdf.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      GIV PO 00254.xls.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      BL & INVOICE.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171
                                                      Routing Details.vbsGet hashmaliciousBrowse
                                                      • 185.19.85.170
                                                      Nueva orden #7624.xls.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      voo7b2BBq6.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      xmsGPH324z.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      ShippingDocs.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171
                                                      2E9xpfvD2O.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      uF74GlbXPc.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      jFjTeUfek3.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Q7DYDgQhKp.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      USD31000.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation Request.pdf.exe.log
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Temp\tmpAC55.tmp
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1660
                                                      Entropy (8bit):5.187608923076909
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3L
                                                      MD5:90ACD9A9C97A5C0E43DA656B494C79A0
                                                      SHA1:911E7AE189E24AC9E7DB82537F186EEE1D1F352F
                                                      SHA-256:8C19DE887CC9B2DBC4D20252D8955274AF48A62DD544096CFC0830AEEC0CA02E
                                                      SHA-512:7A193A28A1B8703D1A0B79401495AB6509A28BC2BB5E318EFAEC63CD2A01D4F50E684E9E5CADF03BA6F63BA233CC2B6C15070C76CD01D430BC0310F35E86B8DC
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1392
                                                      Entropy (8bit):7.089541637477408
                                                      Encrypted:false
                                                      SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4l:IknjhUknjhUknjhUknjhUknjhUknjhL
                                                      MD5:5E3C10DCF7AAB1A5E4671C3AD52D9BD2
                                                      SHA1:7DE7F5ACAED711BC35E62756D1440E80262D85D1
                                                      SHA-256:B9EB9E732F6204735FFB2C9A6EC8F077E4B4F31E57E336199D22278EAD8412F9
                                                      SHA-512:00252F19A1D0098FEBC78231182FAD57A66390077C0C462C94950D7CA02D53A7B7D692B4D7E718DF2708C1F7919CCB29837A2309E3BEFD2D585FF0C049E5FEB3
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):2.75
                                                      Encrypted:false
                                                      SSDEEP:3:O1o8tn:OFn
                                                      MD5:EEEF6DA74F6FA0AC71E338AD0B010144
                                                      SHA1:5C7F53209A792A7996DC66C1FB8811FD4D709661
                                                      SHA-256:7C860F32B254485BFAF2BC37A1CC9FF6A90F00CF11BA321E3DD68F0F76E23064
                                                      SHA-512:16C4352D1AF28B0CCFD9B3AE09B27E3080BEF3A0F40B7D1A35227AD2AACE06C17D6F56BDED3C8A477DB449B688512255A886005420D4DF7D892FEFA391B6C558
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: -....H
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):40
                                                      Entropy (8bit):5.153055907333276
                                                      Encrypted:false
                                                      SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                      MD5:4E5E92E2369688041CC82EF9650EDED2
                                                      SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                      SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                      SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                      Malicious:false
                                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):80
                                                      Entropy (8bit):5.153055907333276
                                                      Encrypted:false
                                                      SSDEEP:3:9bzY6oRDT6P2bfVnXygY6oRDT6P2bfVn1:RzWDT62DWDT621
                                                      MD5:4315325323A62DE913E5CCD153817BCE
                                                      SHA1:8B38155CD8ACB20BBA0C2A8AF02BFD35B15221A8
                                                      SHA-256:E0C2085D878FDF53CD7D8F0AA9F07490802C51FC3C14A52B6FEA96AD0743C838
                                                      SHA-512:B5036A6CD4852CEBCA86F588D94B9D58B63EB07B2F4DEBD38D5E1BE68B0BB62F82FA239673B6C08F432A28DD50E1D15773DC3738251BD2F9959F1255D72745EB
                                                      Malicious:false
                                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.9iH...}Z.4..f.~a........~.~.......3.U.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):426832
                                                      Entropy (8bit):7.999527918131335
                                                      Encrypted:true
                                                      SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                                                      MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                                                      SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                                                      SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                                                      SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                                                      Malicious:false
                                                      Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                      C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):650240
                                                      Entropy (8bit):7.635016130821497
                                                      Encrypted:false
                                                      SSDEEP:12288:QMySBziJmqgE0pGxgCfZk1LrWkHMlYp6/50jccyQ7w5MV:QMB5b3CfZHkKAA50VdU56
                                                      MD5:95D884C21021E67EA7E9E204A0488FA3
                                                      SHA1:38786584D7CAF1B36E7B72BF85099A82589C48A6
                                                      SHA-256:B7E4D5626EF15E8584E644E1BFAADE75C1FAAA54549BDE7560F44BD3550281DE
                                                      SHA-512:4AF1BF9C684F2AA3DEE982DCA10471FB912744385FE9567039BAF7109E51D70F85D3023544A0AC83595D73968406B8C269F5EDB59E1B9E8FCF96759549529BFD
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*ea..............0......L.......... ........@.. .......................@............@.....................................O........H................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc....H.......J..................@..@.reloc....... ......................@..B.......................H........_...P......}...`...8............................................0..4..........K......r...p...rC..p.......,.......+.........+..*.0..F..........+6...........................o.........,.ra..ps....z..X....i....-.*...0..d..........+N..+8.....(.......(...............o.........,.ra..ps....z..X....o........-...X....o..........-.*.0.............+j..+R..+:......(........(...............o.........,.ra..ps....z..X....o..........-...X....o..........-...X....o..........-.*".(.....
                                                      C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.635016130821497
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Quotation Request.pdf.exe
                                                      File size:650240
                                                      MD5:95d884c21021e67ea7e9e204a0488fa3
                                                      SHA1:38786584d7caf1b36e7b72bf85099a82589c48a6
                                                      SHA256:b7e4d5626ef15e8584e644e1bfaade75c1faaa54549bde7560f44bd3550281de
                                                      SHA512:4af1bf9c684f2aa3dee982dca10471fb912744385fe9567039baf7109e51d70f85d3023544a0ac83595d73968406b8c269f5edb59e1b9e8fcf96759549529bfd
                                                      SSDEEP:12288:QMySBziJmqgE0pGxgCfZk1LrWkHMlYp6/50jccyQ7w5MV:QMB5b3CfZHkKAA50VdU56
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*ea..............0......L........... ........@.. .......................@............@................................

                                                      File Icon

                                                      Icon Hash:c4d2c4dcf4c6f230

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x48bcea
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61652ADD [Tue Oct 12 06:27:41 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      fcom dword ptr [edx+00h]
                                                      add bl, ah
                                                      movsd
                                                      add byte ptr [eax], al
                                                      pop esp
                                                      stc
                                                      add byte ptr [eax], al
                                                      pop ecx
                                                      dec ebp
                                                      add dword ptr [eax], eax
                                                      push es
                                                      mov byte ptr [F7630001h], al
                                                      add dword ptr [eax], eax
                                                      mov dword ptr [ebp+02h], ecx
                                                      add byte ptr [ebp-5Ch], bl
                                                      add al, byte ptr [eax]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8bc980x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x14804.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x89dd80x89e00False0.922330079896data7.85672483308IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x8c0000x148040x14a00False0.164701704545data4.56196917542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x8c1780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 100663296, next used block 100663296
                                                      RT_ICON0x8e7200x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 218103808, next used block 218103808
                                                      RT_ICON0x8f7c80x468GLS_BINARY_LSB_FIRST
                                                      RT_ICON0x8fc300x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0xa04580x3edata
                                                      RT_VERSION0xa04980x36cdata

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright 2018 - 2021
                                                      Assembly Version4.0.2.0
                                                      InternalNameStaticIndexRangePartition.exe
                                                      FileVersion4.0.2.0
                                                      CompanyName
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameWin Mixer
                                                      ProductVersion4.0.2.0
                                                      FileDescriptionWin Mixer
                                                      OriginalFilenameStaticIndexRangePartition.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 12, 2021 15:49:41.289885044 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.404021025 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.404167891 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.452271938 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.589623928 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.589725971 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.753128052 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.753298998 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.865112066 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.865251064 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.031485081 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.031625032 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.200438023 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.200591087 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232213020 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232316017 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232492924 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232562065 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232588053 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232641935 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232724905 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232784986 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344438076 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344537973 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344568968 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344619036 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344819069 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344873905 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345005989 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345074892 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345287085 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345350027 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345568895 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345622063 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345851898 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345910072 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345947981 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345999002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.459650993 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.459820032 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.460814953 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.460951090 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461025953 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461039066 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461117029 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461168051 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461265087 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461343050 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461451054 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461532116 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461534023 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461606979 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461671114 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461946011 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462322950 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462431908 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462447882 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462536097 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462552071 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462608099 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463223934 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463304996 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463320971 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463387966 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463414907 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463540077 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463622093 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.571662903 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.571829081 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.571918964 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.573407888 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.573836088 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.573919058 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577158928 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577519894 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577578068 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577649117 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577799082 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577842951 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577856064 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577986956 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578105927 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578197002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.578228951 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578270912 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578319073 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581296921 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581341982 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581389904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581423044 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581440926 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581532001 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581759930 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581800938 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581845045 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581906080 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581954002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.582065105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582148075 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582180977 CEST605149756185.19.85.137192.168.2.7

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 12, 2021 15:49:25.446805954 CEST5873953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:25.466027975 CEST53587398.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:26.437062979 CEST6033853192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:26.613787889 CEST53603388.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:27.565529108 CEST5976253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:27.745409966 CEST53597628.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:32.029913902 CEST5432953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:32.167773962 CEST53543298.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:32.403435946 CEST5805253192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:32.578960896 CEST53580528.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:32.804759026 CEST5400853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:32.823015928 CEST53540088.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:36.888720989 CEST5291453192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:37.068095922 CEST53529148.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:37.148696899 CEST6456953192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:37.166666031 CEST53645698.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:37.173485994 CEST5281653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:37.191988945 CEST53528168.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:41.263663054 CEST5423053192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:41.282803059 CEST53542308.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:47.804738998 CEST5491153192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:47.827729940 CEST53549118.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:54.211075068 CEST4995853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:54.232299089 CEST53499588.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:00.510494947 CEST5931053192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:00.530226946 CEST53593108.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:06.939441919 CEST6429653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:06.960129023 CEST53642968.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:13.268897057 CEST5268953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:13.287166119 CEST53526898.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:18.193945885 CEST5620953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:18.212002993 CEST53562098.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:24.683237076 CEST5854253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:24.701410055 CEST53585428.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:32.143759966 CEST6092753192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:32.162180901 CEST53609278.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:38.403631926 CEST5785453192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:38.422909975 CEST53578548.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:44.623191118 CEST6202653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:44.643498898 CEST53620268.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:50.973814011 CEST6282653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:50.994389057 CEST53628268.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:57.031918049 CEST6204653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:57.050472975 CEST53620468.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:03.064064026 CEST6390853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:03.086414099 CEST53639088.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:09.126790047 CEST6021253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:09.145246983 CEST53602128.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:16.425517082 CEST5886753192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:16.442230940 CEST53588678.8.8.8192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Oct 12, 2021 15:49:25.446805954 CEST192.168.2.78.8.8.80xbf69Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:26.437062979 CEST192.168.2.78.8.4.40x6768Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:27.565529108 CEST192.168.2.78.8.8.80x1a46Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.029913902 CEST192.168.2.78.8.8.80x6cd3Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.403435946 CEST192.168.2.78.8.4.40x4e54Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.804759026 CEST192.168.2.78.8.8.80x90daStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:36.888720989 CEST192.168.2.78.8.8.80xe08aStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.148696899 CEST192.168.2.78.8.4.40x2875Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.173485994 CEST192.168.2.78.8.8.80xe73cStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:41.263663054 CEST192.168.2.78.8.8.80x4a68Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:47.804738998 CEST192.168.2.78.8.8.80x1f17Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:54.211075068 CEST192.168.2.78.8.8.80x4f0aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:00.510494947 CEST192.168.2.78.8.8.80xfdacStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:06.939441919 CEST192.168.2.78.8.8.80x3176Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:13.268897057 CEST192.168.2.78.8.8.80x4488Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:18.193945885 CEST192.168.2.78.8.8.80x2614Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:24.683237076 CEST192.168.2.78.8.8.80x2389Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:32.143759966 CEST192.168.2.78.8.8.80x5e9fStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:38.403631926 CEST192.168.2.78.8.8.80x1ccbStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:44.623191118 CEST192.168.2.78.8.8.80x1180Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:50.973814011 CEST192.168.2.78.8.8.80x9163Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:57.031918049 CEST192.168.2.78.8.8.80xb51cStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:03.064064026 CEST192.168.2.78.8.8.80x702aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:09.126790047 CEST192.168.2.78.8.8.80x5fe9Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:16.425517082 CEST192.168.2.78.8.8.80xe98aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Oct 12, 2021 15:49:25.466027975 CEST8.8.8.8192.168.2.70xbf69Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:26.613787889 CEST8.8.4.4192.168.2.70x6768Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:27.745409966 CEST8.8.8.8192.168.2.70x1a46Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.167773962 CEST8.8.8.8192.168.2.70x6cd3Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.578960896 CEST8.8.4.4192.168.2.70x4e54Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.823015928 CEST8.8.8.8192.168.2.70x90daName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.068095922 CEST8.8.8.8192.168.2.70xe08aName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.166666031 CEST8.8.4.4192.168.2.70x2875Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.191988945 CEST8.8.8.8192.168.2.70xe73cName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:41.282803059 CEST8.8.8.8192.168.2.70x4a68No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:47.827729940 CEST8.8.8.8192.168.2.70x1f17No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:54.232299089 CEST8.8.8.8192.168.2.70x4f0aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:55.974659920 CEST8.8.8.8192.168.2.70xec84No error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:55.974659920 CEST8.8.8.8192.168.2.70xec84No error (0)windowsupdate.s.llnwi.net178.79.242.128A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:57.063689947 CEST8.8.8.8192.168.2.70xdf9bNo error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:00.530226946 CEST8.8.8.8192.168.2.70xfdacNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:06.960129023 CEST8.8.8.8192.168.2.70x3176No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:13.287166119 CEST8.8.8.8192.168.2.70x4488No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:18.212002993 CEST8.8.8.8192.168.2.70x2614No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:24.701410055 CEST8.8.8.8192.168.2.70x2389No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:32.162180901 CEST8.8.8.8192.168.2.70x5e9fNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:38.422909975 CEST8.8.8.8192.168.2.70x1ccbNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:44.643498898 CEST8.8.8.8192.168.2.70x1180No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:50.994389057 CEST8.8.8.8192.168.2.70x9163No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:57.050472975 CEST8.8.8.8192.168.2.70xb51cNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:03.086414099 CEST8.8.8.8192.168.2.70x702aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:09.145246983 CEST8.8.8.8192.168.2.70x5fe9No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:16.442230940 CEST8.8.8.8192.168.2.70xe98aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: Quotation Request.pdf.exe PID: 4556 Parent PID: 5740

                                                      General

                                                      Start time:15:49:10
                                                      Start date:12/10/2021
                                                      Path:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Quotation Request.pdf.exe'
                                                      Imagebase:0x640000
                                                      File size:650240 bytes
                                                      MD5 hash:95D884C21021E67EA7E9E204A0488FA3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Analysis Process: schtasks.exe PID: 2812 Parent PID: 4556

                                                      General

                                                      Start time:15:49:20
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
                                                      Imagebase:0xd70000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5048 Parent PID: 2812

                                                      General

                                                      Start time:15:49:21
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff774ee0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: RegSvcs.exe PID: 408 Parent PID: 4556

                                                      General

                                                      Start time:15:49:21
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Imagebase:0x870000
                                                      File size:32768 bytes
                                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >