Windows Analysis Report SOA pdf.exe

Overview

General Information

Sample Name:	SOA pdf.exe
Analysis ID:	510693
MD5:	a4777dd931c6b16901478a2c1888dc27
SHA1:	bac3170333a0c8da9e5e1827d065d78b683fbb53
SHA256:	59bb800d65d8c2670fe30e036b9d9d7e81ab3a863df72e1f00e27c709ddcf1e8
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 26.0.hgvQCmQ.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "markhung@jingtai.com.vn", "Password": "truongtuyen2209", "Host": "Mail.jingtai.com.vn"}

Multi AV Scanner detection for submitted file

Source: SOA pdf.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SneJGPA.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	ReversingLabs: Detection: 25%

Machine Learning detection for sample

Source: SOA pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SneJGPA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 26.0.hgvQCmQ.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.hgvQCmQ.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.2.hgvQCmQ.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.SOA pdf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: SOA pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SOA pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49770 -> 103.15.48.233:587

Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SOA pdf.exe, 00000004.00000002.632033522.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://Mail.jingtai.com.vn
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://bWFhc41K6WqcMA6O.net
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://bWFhc41K6WqcMA6O.nett
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SOA pdf.exe, 00000004.00000002.632033522.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://pro13.emailserver.vn
Source: hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://rlhupJ.com
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.528563461.0000000002711000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: hgvQCmQ.exe, hgvQCmQ.exe, 0000000E.00000000.507259966.00000000008A2000.00000002.00020000.sdmp, hgvQCmQ.exe, 00000012.00000000.515358909.00000000004A2000.00000002.00020000.sdmp, hgvQCmQ.exe, 00000017.00000002.543098518.0000000000182000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000000.543649045.00000000006D2000.00000002.00020000.sdmp, SOA pdf.exe	String found in binary or memory: http://tempuri.org/DatabaseDataSet.xsd
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/5
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SOA pdf.exe, 00000001.00000003.360096130.0000000005E92000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com4P
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsZP)
Source: SOA pdf.exe, 00000001.00000002.403233802.0000000005E80000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicd
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiva=P
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com~P
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com9
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comy
Source: SOA pdf.exe, 00000001.00000003.353685426.0000000005E91000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000003.353431356.0000000005E83000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SOA pdf.exe, 00000001.00000003.353431356.0000000005E83000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn5
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=P
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=P
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/QP
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~P
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/r
Source: SOA pdf.exe, 00000001.00000003.355632091.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/soft
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/uP
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~P
Source: SOA pdf.exe, 00000001.00000003.357582998.0000000005EC6000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.4
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv4
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comn
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comn-u
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: SOA pdf.exe, 00000001.00000003.356579402.0000000005E92000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SOA pdf.exe, 00000001.00000003.355033550.0000000005E9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comI
Source: SOA pdf.exe, 00000001.00000003.355033550.0000000005E9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SOA pdf.exe, 00000001.00000003.357933861.0000000005E9E000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000003.360930293.0000000005E92000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de3
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFy
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deras
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SOA pdf.exe, 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, SOA pdf.exe, 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: Mail.jingtai.com.vn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: SOA pdf.exe, 00000001.00000002.398891854.00000000010C0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 4.0.SOA pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b0C8D2557u002d3889u002d400Fu002d9406u002d4B6CD9A29432u007d/u00312392A79u002dCB08u002d4B04u002d977Eu002d4794EB500DC5.cs	Large array initialization: .cctor: array initializer size 11944
Source: 4.0.SOA pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b0C8D2557u002d3889u002d400Fu002d9406u002d4B6CD9A29432u007d/u00312392A79u002dCB08u002d4B04u002d977Eu002d4794EB500DC5.cs	Large array initialization: .cctor: array initializer size 11944

Uses 32bit PE files

Source: SOA pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CAE151	1_2_02CAE151
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CAC4B0	1_2_02CAC4B0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CA9BF0	1_2_02CA9BF0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075EF788	1_2_075EF788
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075EE808	1_2_075EE808
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E7D98	1_2_075E7D98
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E0040	1_2_075E0040
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E0006	1_2_075E0006
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07954788	1_2_07954788
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_079533B8	1_2_079533B8
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958E32	1_2_07958E32
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_0795CA78	1_2_0795CA78
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958140	1_2_07958140
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07954C60	1_2_07954C60
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_079533A9	1_2_079533A9
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07950BE0	1_2_07950BE0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958B12	1_2_07958B12
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07950B30	1_2_07950B30
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_027247A0	4_2_027247A0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_02723CCC	4_2_02723CCC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_027246B0	4_2_027246B0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_02725490	4_2_02725490
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B07538	4_2_05B07538
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B094F8	4_2_05B094F8
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B06920	4_2_05B06920
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0E460	4_2_05B0E460
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B06C68	4_2_05B06C68
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_0259B35C	11_2_0259B35C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_0259E170	11_2_0259E170
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_02599BF0	11_2_02599BF0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C14788	11_2_04C14788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C14778	11_2_04C14778
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A0F788	11_2_06A0F788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A00006	11_2_06A00006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A00040	11_2_06A00040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A07D98	11_2_06A07D98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDB35C	14_2_02BDB35C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDE170	14_2_02BDE170
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDC708	14_2_02BDC708
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BD9BF0	14_2_02BD9BF0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823E808	14_2_0823E808
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_082398C0	14_2_082398C0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823F788	14_2_0823F788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08230006	14_2_08230006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08230040	14_2_08230040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823EC00	14_2_0823EC00
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08237D98	14_2_08237D98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4C60	14_2_085C4C60
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C80B8	14_2_085C80B8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8DB8	14_2_085C8DB8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085CCB00	14_2_085CCB00
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4798	14_2_085C4798
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C33B8	14_2_085C33B8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0040	14_2_085C0040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C9070	14_2_085C9070
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0006	14_2_085C0006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C3891	14_2_085C3891
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C9080	14_2_085C9080
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C80A9	14_2_085C80A9
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C38A0	14_2_085C38A0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C5150	14_2_085C5150
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C5140	14_2_085C5140
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C553C	14_2_085C553C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C69DF	14_2_085C69DF
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C51F2	14_2_085C51F2
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C89E8	14_2_085C89E8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8DAA	14_2_085C8DAA
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C39A7	14_2_085C39A7
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C6A30	14_2_085C6A30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8A98	14_2_085C8A98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8A88	14_2_085C8A88
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0B30	14_2_085C0B30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0BE0	14_2_085C0BE0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4788	14_2_085C4788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C33A9	14_2_085C33A9

Sample file is different than original file name gathered from version info

Source: SOA pdf.exe, 00000001.00000002.403921801.0000000007670000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.403751978.0000000007480000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.398167836.00000000009AE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.398891854.00000000010C0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebUkmBySTvXsKXLZKazvODwwtAMdjm.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000004.00000000.394195454.00000000005AE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamebUkmBySTvXsKXLZKazvODwwtAMdjm.exe4 vs SOA pdf.exe
Source: SOA pdf.exe	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe

PE file contains strange resources

Source: SOA pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SneJGPA.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hgvQCmQ.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SOA pdf.exe

ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\SOA pdf.exe

File read: C:\Users\user\Desktop\SOA pdf.exe

Jump to behavior

Source: SOA pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOA pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOA pdf.exe 'C:\Users\user\Desktop\SOA pdf.exe'
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe 'C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe 'C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe'
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA pdf.exe

File created: C:\Users\user\AppData\Roaming\SneJGPA.exe

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@20/9@2/0

Source: C:\Users\user\Desktop\SOA pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: SOA pdf.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01

Source: 4.0.SOA pdf.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SOA pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SOA pdf.exe

Static file information: File size 1221632 > 1048576

Source: SOA pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_008957B2 push esi; ret	1_2_008957B3
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_008983FB push ecx; retf	1_2_008983FC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_00896721 push 6F060001h; retn 0004h	1_2_0089673D
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E2B34 push es; ret	1_2_075E2B35
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E2A50 push es; ret	1_2_075E2A52
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E124D push ds; ret	1_2_075E124F
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E323D push ds; iretd	1_2_075E3243
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1AD5 push ss; ret	1_2_075E1AD7
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1AF9 push ss; ret	1_2_075E1AFB
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1A82 push ss; ret	1_2_075E1A83
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E22BC push cs; ret	1_2_075E22BD
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E12A4 push ds; ret	1_2_075E12A6
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_00496721 push 6F060001h; retn 0004h	4_2_0049673D
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_004983FB push ecx; retf	4_2_004983FC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_004957B2 push esi; ret	4_2_004957B3
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0D4B7 push eax; ret	4_2_05B0D4CD
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0F926 pushfd ; ret	4_2_05B0F927
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_00256721 push 6F060001h; retn 0004h	11_2_0025673D
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_002557B2 push esi; ret	11_2_002557B3
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_002583FB push ecx; retf	11_2_002583FC
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C19A70 pushad ; iretd	11_2_04C19A71
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A0323D push ds; iretd	11_2_06A03243
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A57B2 push esi; ret	14_2_008A57B3
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A83FB push ecx; retf	14_2_008A83FC
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A6721 push 6F060001h; retn 0004h	14_2_008A673D
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BD7FC0 push edx; ret	14_2_02BD8154
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823323D push ds; iretd	14_2_08233243
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C6DEC push eax; ret	14_2_085C6DED

Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902
Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902
Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SOA pdf.exe	File created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SOA pdf.exe	File created: C:\Users\user\AppData\Roaming\SneJGPA.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SOA pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'

Source: C:\Users\user\Desktop\SOA pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hgvQCmQ			Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hgvQCmQ			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SOA pdf.exe

File opened: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SOA pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6828	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6832	Thread sleep count: 275 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6832	Thread sleep count: 9581 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 4928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7120	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7136	Thread sleep count: 923 > 30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7136	Thread sleep count: 8906 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SOA pdf.exe	Window / User API: threadDelayed 9581	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Window / User API: threadDelayed 923
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Window / User API: threadDelayed 8906

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477

Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: SOA pdf.exe, 00000004.00000002.628297222.0000000000C67000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\SOA pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SOA pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SOA pdf.exe	Memory written: C:\Users\user\Desktop\SOA pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Memory written: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Memory written: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior

Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\SOA pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

Code function: 4_2_05B0516C GetUserNameW,

4_2_05B0516C

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.38f7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3ea7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SOA pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3f47e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.559051654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.521046677.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.522087904.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.622610702.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570961957.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.556463107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.554521283.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.392455880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.394004490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.400803068.0000000003E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393041501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.519772323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393509699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.38f7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3ea7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SOA pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3f47e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.559051654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.521046677.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.522087904.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.622610702.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570961957.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.556463107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.554521283.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.392455880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.394004490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.400803068.0000000003E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393041501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.519772323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393509699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
pro13.emailserver.vn	103.15.48.233	true
Mail.jingtai.com.vn	unknown	unknown

AV Detection:

Found malware configuration

Source: 26.0.hgvQCmQ.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "markhung@jingtai.com.vn", "Password": "truongtuyen2209", "Host": "Mail.jingtai.com.vn"}

Multi AV Scanner detection for submitted file

Source: SOA pdf.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SneJGPA.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	ReversingLabs: Detection: 25%

Machine Learning detection for sample

Source: SOA pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SneJGPA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 26.0.hgvQCmQ.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.hgvQCmQ.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.SOA pdf.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.2.hgvQCmQ.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.0.hgvQCmQ.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 26.0.hgvQCmQ.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.SOA pdf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: SOA pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SOA pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49770 -> 103.15.48.233:587

Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SOA pdf.exe, 00000004.00000002.632033522.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://Mail.jingtai.com.vn
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://bWFhc41K6WqcMA6O.net
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://bWFhc41K6WqcMA6O.nett
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SOA pdf.exe, 00000004.00000002.632033522.0000000002BD0000.00000004.00000001.sdmp	String found in binary or memory: http://pro13.emailserver.vn
Source: hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://rlhupJ.com
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.528563461.0000000002711000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: hgvQCmQ.exe, hgvQCmQ.exe, 0000000E.00000000.507259966.00000000008A2000.00000002.00020000.sdmp, hgvQCmQ.exe, 00000012.00000000.515358909.00000000004A2000.00000002.00020000.sdmp, hgvQCmQ.exe, 00000017.00000002.543098518.0000000000182000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000000.543649045.00000000006D2000.00000002.00020000.sdmp, SOA pdf.exe	String found in binary or memory: http://tempuri.org/DatabaseDataSet.xsd
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/5
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SOA pdf.exe, 00000001.00000003.360096130.0000000005E92000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com4P
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsZP)
Source: SOA pdf.exe, 00000001.00000002.403233802.0000000005E80000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicd
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiva=P
Source: SOA pdf.exe, 00000001.00000003.360835511.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com~P
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com9
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: SOA pdf.exe, 00000001.00000003.351784655.0000000005EBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comy
Source: SOA pdf.exe, 00000001.00000003.353685426.0000000005E91000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000003.353431356.0000000005E83000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SOA pdf.exe, 00000001.00000003.353431356.0000000005E83000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn5
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=P
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=P
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/QP
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~P
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/r
Source: SOA pdf.exe, 00000001.00000003.355632091.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/soft
Source: SOA pdf.exe, 00000001.00000003.355755914.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/uP
Source: SOA pdf.exe, 00000001.00000003.356034926.0000000005E86000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~P
Source: SOA pdf.exe, 00000001.00000003.357582998.0000000005EC6000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.4
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv4
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comn
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comn-u
Source: SOA pdf.exe, 00000001.00000003.351269595.000000000135D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: SOA pdf.exe, 00000001.00000003.356579402.0000000005E92000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SOA pdf.exe, 00000001.00000003.355033550.0000000005E9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comI
Source: SOA pdf.exe, 00000001.00000003.355033550.0000000005E9B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SOA pdf.exe, 00000001.00000003.357933861.0000000005E9E000.00000004.00000001.sdmp, SOA pdf.exe, 00000001.00000003.360930293.0000000005E92000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de3
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFy
Source: SOA pdf.exe, 00000001.00000003.358166526.0000000005E9C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deras
Source: SOA pdf.exe, 00000001.00000002.403522952.0000000007092000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SOA pdf.exe, 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, SOA pdf.exe, 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SOA pdf.exe, 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, hgvQCmQ.exe, 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: Mail.jingtai.com.vn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: SOA pdf.exe, 00000001.00000002.398891854.00000000010C0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 4.0.SOA pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b0C8D2557u002d3889u002d400Fu002d9406u002d4B6CD9A29432u007d/u00312392A79u002dCB08u002d4B04u002d977Eu002d4794EB500DC5.cs	Large array initialization: .cctor: array initializer size 11944
Source: 4.0.SOA pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b0C8D2557u002d3889u002d400Fu002d9406u002d4B6CD9A29432u007d/u00312392A79u002dCB08u002d4B04u002d977Eu002d4794EB500DC5.cs	Large array initialization: .cctor: array initializer size 11944

Uses 32bit PE files

Source: SOA pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CAE151	1_2_02CAE151
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CAC4B0	1_2_02CAC4B0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_02CA9BF0	1_2_02CA9BF0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075EF788	1_2_075EF788
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075EE808	1_2_075EE808
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E7D98	1_2_075E7D98
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E0040	1_2_075E0040
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E0006	1_2_075E0006
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07954788	1_2_07954788
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_079533B8	1_2_079533B8
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958E32	1_2_07958E32
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_0795CA78	1_2_0795CA78
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958140	1_2_07958140
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07954C60	1_2_07954C60
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_079533A9	1_2_079533A9
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07950BE0	1_2_07950BE0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07958B12	1_2_07958B12
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_07950B30	1_2_07950B30
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_027247A0	4_2_027247A0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_02723CCC	4_2_02723CCC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_027246B0	4_2_027246B0
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_02725490	4_2_02725490
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B07538	4_2_05B07538
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B094F8	4_2_05B094F8
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B06920	4_2_05B06920
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0E460	4_2_05B0E460
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B06C68	4_2_05B06C68
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_0259B35C	11_2_0259B35C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_0259E170	11_2_0259E170
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_02599BF0	11_2_02599BF0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C14788	11_2_04C14788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C14778	11_2_04C14778
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A0F788	11_2_06A0F788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A00006	11_2_06A00006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A00040	11_2_06A00040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A07D98	11_2_06A07D98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDB35C	14_2_02BDB35C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDE170	14_2_02BDE170
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BDC708	14_2_02BDC708
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BD9BF0	14_2_02BD9BF0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823E808	14_2_0823E808
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_082398C0	14_2_082398C0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823F788	14_2_0823F788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08230006	14_2_08230006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08230040	14_2_08230040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823EC00	14_2_0823EC00
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_08237D98	14_2_08237D98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4C60	14_2_085C4C60
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C80B8	14_2_085C80B8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8DB8	14_2_085C8DB8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085CCB00	14_2_085CCB00
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4798	14_2_085C4798
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C33B8	14_2_085C33B8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0040	14_2_085C0040
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C9070	14_2_085C9070
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0006	14_2_085C0006
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C3891	14_2_085C3891
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C9080	14_2_085C9080
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C80A9	14_2_085C80A9
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C38A0	14_2_085C38A0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C5150	14_2_085C5150
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C5140	14_2_085C5140
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C553C	14_2_085C553C
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C69DF	14_2_085C69DF
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C51F2	14_2_085C51F2
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C89E8	14_2_085C89E8
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8DAA	14_2_085C8DAA
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C39A7	14_2_085C39A7
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C6A30	14_2_085C6A30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8A98	14_2_085C8A98
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C8A88	14_2_085C8A88
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0B30	14_2_085C0B30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C0BE0	14_2_085C0BE0
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C4788	14_2_085C4788
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C33A9	14_2_085C33A9

Sample file is different than original file name gathered from version info

Source: SOA pdf.exe, 00000001.00000002.403921801.0000000007670000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.403751978.0000000007480000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.398167836.00000000009AE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.398891854.00000000010C0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA pdf.exe
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebUkmBySTvXsKXLZKazvODwwtAMdjm.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000004.00000000.394195454.00000000005AE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe
Source: SOA pdf.exe, 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamebUkmBySTvXsKXLZKazvODwwtAMdjm.exe4 vs SOA pdf.exe
Source: SOA pdf.exe	Binary or memory string: OriginalFilename6bpLA.exe4 vs SOA pdf.exe

PE file contains strange resources

Source: SOA pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SneJGPA.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hgvQCmQ.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SOA pdf.exe

ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\SOA pdf.exe

File read: C:\Users\user\Desktop\SOA pdf.exe

Jump to behavior

Source: SOA pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOA pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOA pdf.exe 'C:\Users\user\Desktop\SOA pdf.exe'
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe 'C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe 'C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe'
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA pdf.exe

File created: C:\Users\user\AppData\Roaming\SneJGPA.exe

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@20/9@2/0

Source: C:\Users\user\Desktop\SOA pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: SOA pdf.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01

Source: 4.0.SOA pdf.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.SOA pdf.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SOA pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SOA pdf.exe

Static file information: File size 1221632 > 1048576

Source: SOA pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_008957B2 push esi; ret	1_2_008957B3
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_008983FB push ecx; retf	1_2_008983FC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_00896721 push 6F060001h; retn 0004h	1_2_0089673D
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E2B34 push es; ret	1_2_075E2B35
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E2A50 push es; ret	1_2_075E2A52
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E124D push ds; ret	1_2_075E124F
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E323D push ds; iretd	1_2_075E3243
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1AD5 push ss; ret	1_2_075E1AD7
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1AF9 push ss; ret	1_2_075E1AFB
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E1A82 push ss; ret	1_2_075E1A83
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E22BC push cs; ret	1_2_075E22BD
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 1_2_075E12A4 push ds; ret	1_2_075E12A6
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_00496721 push 6F060001h; retn 0004h	4_2_0049673D
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_004983FB push ecx; retf	4_2_004983FC
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_004957B2 push esi; ret	4_2_004957B3
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0D4B7 push eax; ret	4_2_05B0D4CD
Source: C:\Users\user\Desktop\SOA pdf.exe	Code function: 4_2_05B0F926 pushfd ; ret	4_2_05B0F927
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_00256721 push 6F060001h; retn 0004h	11_2_0025673D
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_002557B2 push esi; ret	11_2_002557B3
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_002583FB push ecx; retf	11_2_002583FC
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_04C19A70 pushad ; iretd	11_2_04C19A71
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 11_2_06A0323D push ds; iretd	11_2_06A03243
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A57B2 push esi; ret	14_2_008A57B3
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A83FB push ecx; retf	14_2_008A83FC
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_008A6721 push 6F060001h; retn 0004h	14_2_008A673D
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_02BD7FC0 push edx; ret	14_2_02BD8154
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_0823323D push ds; iretd	14_2_08233243
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Code function: 14_2_085C6DEC push eax; ret	14_2_085C6DED

Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902
Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902
Source: initial sample	Static PE information: section name: .text entropy: 7.20610912902

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SOA pdf.exe	File created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SOA pdf.exe	File created: C:\Users\user\AppData\Roaming\SneJGPA.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SOA pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'

Source: C:\Users\user\Desktop\SOA pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hgvQCmQ			Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hgvQCmQ			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SOA pdf.exe

File opened: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SOA pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SOA pdf.exe, 00000001.00000002.399462595.0000000002CC1000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000B.00000002.531462689.0000000002A6E000.00000004.00000001.sdmp, hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6828	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6832	Thread sleep count: 275 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe TID: 6832	Thread sleep count: 9581 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 4928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7120	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7136	Thread sleep count: 923 > 30
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe TID: 7136	Thread sleep count: 8906 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SOA pdf.exe	Window / User API: threadDelayed 9581	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Window / User API: threadDelayed 923
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Window / User API: threadDelayed 8906

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SOA pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SOA pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Thread delayed: delay time: 922337203685477

Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: hgvQCmQ.exe, 0000000E.00000002.568468445.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: SOA pdf.exe, 00000004.00000002.628297222.0000000000C67000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\SOA pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SOA pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SOA pdf.exe	Memory written: C:\Users\user\Desktop\SOA pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Memory written: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Memory written: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Process created: C:\Users\user\Desktop\SOA pdf.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SneJGPA' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Process created: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe {path}	Jump to behavior

Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: SOA pdf.exe, 00000004.00000002.629722224.0000000001280000.00000002.00020000.sdmp, hgvQCmQ.exe, 0000001A.00000002.628148405.00000000014C0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\SOA pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SOA pdf.exe

Code function: 4_2_05B0516C GetUserNameW,

4_2_05B0516C

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Users\user\Desktop\SOA pdf.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.38f7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3ea7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SOA pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3f47e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.559051654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.521046677.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.522087904.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.622610702.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570961957.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.556463107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.554521283.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.392455880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.394004490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.400803068.0000000003E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393041501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.519772323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393509699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.38f7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SOA pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hgvQCmQ.exe.39adab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.hgvQCmQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3ea7e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.hgvQCmQ.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOA pdf.exe.3f5dab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3ffdab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SOA pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.hgvQCmQ.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.hgvQCmQ.exe.3f47e68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000000.553026976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.523738351.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.559051654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.521046677.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.522087904.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.622610702.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401458000.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570961957.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.556463107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.622548824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.554521283.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.392455880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532515883.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.394004490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.400803068.0000000003E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393041501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.519772323.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393509699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.574319167.0000000003EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.629021312.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.574206873.0000000002941000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.630306300.0000000002871000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA pdf.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgvQCmQ.exe PID: 6620, type: MEMORYSTR

ID:	510693
Product:	CloudBasic
Start time:	05:02:03
Start date:	28.10.2021
Sample:	SOA pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a4777dd931c6b16901478a2c1888dc27
SHA1:	bac3170333a0c8da9e5e1827d065d78b683fbb53
SHA256:	59bb800d65d8c2670fe30e036b9d9d7e81ab3a863df72e1f00e27c709ddcf1e8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA pdf.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hgvQCmQ.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp9A6B.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	547A57D0C6F33FFF8CEE44D3E39D8DA7	ABFF0A1195CC7990001D97F2D1FE8CC61FE76103	7D3194E43F24ECB3ACD7178BCE03DC6950DADB21C354880E482BD5CADBAD4EF4
C:\Users\user\AppData\Local\Temp\tmpAF7F.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	547A57D0C6F33FFF8CEE44D3E39D8DA7	ABFF0A1195CC7990001D97F2D1FE8CC61FE76103	7D3194E43F24ECB3ACD7178BCE03DC6950DADB21C354880E482BD5CADBAD4EF4
C:\Users\user\AppData\Local\Temp\tmpBCF7.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	547A57D0C6F33FFF8CEE44D3E39D8DA7	ABFF0A1195CC7990001D97F2D1FE8CC61FE76103	7D3194E43F24ECB3ACD7178BCE03DC6950DADB21C354880E482BD5CADBAD4EF4
C:\Users\user\AppData\Roaming\SneJGPA.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A4777DD931C6B16901478A2C1888DC27	BAC3170333A0C8DA9E5E1827D065D78B683FBB53	59BB800D65D8C2670FE30E036B9D9D7E81AB3A863DF72E1F00E27C709DDCF1E8
C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A4777DD931C6B16901478A2C1888DC27	BAC3170333A0C8DA9E5E1827D065D78B683FBB53	59BB800D65D8C2670FE30E036B9D9D7E81AB3A863DF72E1F00E27C709DDCF1E8
C:\Users\user\AppData\Roaming\hgvQCmQ\hgvQCmQ.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF line terminators	6EB47C1CF858E25486E42440074917F2	6A63F93A95E1AE831C393A97158C526A4FA0FAAE	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB

Windows Analysis Report SOA pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains