Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PI.1872GAT02.pdf.exe

Overview

General Information

Sample Name:PI.1872GAT02.pdf.exe
Analysis ID:553435
MD5:1396637598469e7e918c70be938370d5
SHA1:c83510c66f043c3595960102ac030a3c99656768
SHA256:d6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PI.1872GAT02.pdf.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 5588 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3500 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PI.1872GAT02.pdf.exe (PID: 6360 cmdline: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe MD5: 1396637598469E7E918C70BE938370D5)
  • catch.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Roaming\catch\catch.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 4656 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4592 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • catch.exe (PID: 3500 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 4768 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 2292 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 4860 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
  • catch.exe (PID: 2772 cmdline: "C:\Users\user\AppData\Roaming\catch\catch.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 5612 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6632 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • catch.exe (PID: 2948 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 53 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PI.1872GAT02.pdf.exe.2797840.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              9.0.PI.1872GAT02.pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.0.PI.1872GAT02.pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.0.PI.1872GAT02.pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    9.0.PI.1872GAT02.pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 62 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, CommandLine: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, NewProcessName: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, OriginalFileName: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ProcessId: 6360
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, ProcessId: 3500
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, ProcessId: 5588
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, ProcessId: 5588
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132867013418482993.5588.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PI.1872GAT02.pdf.exeVirustotal: Detection: 47%Perma Link
                      Source: PI.1872GAT02.pdf.exeReversingLabs: Detection: 45%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeReversingLabs: Detection: 46%
                      Machine Learning detection for sampleShow sources
                      Source: PI.1872GAT02.pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJoe Sandbox ML: detected
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.2.catch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.2.catch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PI.1872GAT02.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: PI.1872GAT02.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: TextIn.pdb source: catch.exe, catch.exe, 00000018.00000000.473725790.0000000000272000.00000002.00020000.sdmp, catch.exe, 00000019.00000000.481075981.00000000003D2000.00000002.00020000.sdmp, catch.exe, 0000001C.00000000.485808707.0000000000332000.00000002.00020000.sdmp, catch.exe, 0000001F.00000000.490124493.0000000000942000.00000002.00020000.sdmp, catch.exe, 00000020.00000000.494419414.0000000000992000.00000002.00020000.sdmp, PI.1872GAT02.pdf.exe, catch.exe.9.dr, iDGyQtltoKmu.exe.0.dr

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49845 -> 208.91.199.224:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49846 -> 208.91.199.224:587
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.342428606.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342376975.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342448075.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341652269.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comH
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comY
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://oHtnSs.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpString found in binary or memory: http://smtp.tranpotescamdonic.us
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346994696.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347052526.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346868051.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346747432.00000000055D3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comicr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346299565.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlo
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comno
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comos
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtigY
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349563544.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349795020.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350740671.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350834095.00000000055EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350538299.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350106929.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350231749.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350179211.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350438951.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350272250.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350205792.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350063993.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350314698.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350585382.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350462344.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350509924.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350082934.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350165532.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350027194.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350418250.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350130711.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350397111.00000000055EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350849136.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350908927.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348918399.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349002423.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.351023238.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersk
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comtX(
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345017322.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/.m
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/r
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnsk.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.355602281.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353253105.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355000874.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353979670.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354410089.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353040919.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355456833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355104139.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354676559.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355798640.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353354516.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353914805.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355661429.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355512777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353605294.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355335081.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354077275.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354188877.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355558253.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354761451.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354807622.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353476286.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353190242.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354585604.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355405169.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353702244.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355713046.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354887021.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386058108.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354288508.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355836459.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353859656.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354936948.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353542324.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355199978.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355256754.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355152588.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353790375.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm=
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-e
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr.m
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.347717700.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347673213.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343671517.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343603284.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347806036.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347629233.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma)
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comk
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt#
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344046675.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.c
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr(
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-c
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deQ
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.ded
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348543246.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deettr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt8
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.t
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-c
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000003.589182184.0000000001144000.00000004.00000001.sdmpString found in binary or memory: https://JZAeubGsK9Sikz.org
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, catch.exe, 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, catch.exe, 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.tranpotescamdonic.us

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PI.1872GAT02.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: PI.1872GAT02.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABC9D4
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABEE08
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABEE18
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07020006
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07020040
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DB3
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DC0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DC0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_01399108
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_01394500
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139488F
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139B718
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_01393308
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_01399860
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139F4A8
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E546A0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E54690
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E54672
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFC9D4
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFEE18
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFEE08
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834001E
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834C86C
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_08340040
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834513F
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_08349336
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_08349338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_08349338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9C9D4
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9EE18
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9EE08
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849CA78
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_08499338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_08490040
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_08490016
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_08499327
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_08499338
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilename vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000000.338145138.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386729402.0000000006EB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilename vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000000.377475434.0000000000B62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: iDGyQtltoKmu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: catch.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PI.1872GAT02.pdf.exeVirustotal: Detection: 47%
                      Source: PI.1872GAT02.pdf.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile read: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeJump to behavior
                      Source: PI.1872GAT02.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe"
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe "C:\Users\user\AppData\Roaming\catch\catch.exe"
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe "C:\Users\user\AppData\Roaming\catch\catch.exe"
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB28A.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@33/19@2/0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: PI.1872GAT02.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PI.1872GAT02.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PI.1872GAT02.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: TextIn.pdb source: catch.exe, catch.exe, 00000018.00000000.473725790.0000000000272000.00000002.00020000.sdmp, catch.exe, 00000019.00000000.481075981.00000000003D2000.00000002.00020000.sdmp, catch.exe, 0000001C.00000000.485808707.0000000000332000.00000002.00020000.sdmp, catch.exe, 0000001F.00000000.490124493.0000000000942000.00000002.00020000.sdmp, catch.exe, 00000020.00000000.494419414.0000000000992000.00000002.00020000.sdmp, PI.1872GAT02.pdf.exe, catch.exe.9.dr, iDGyQtltoKmu.exe.0.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PI.1872GAT02.pdf.exe, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: iDGyQtltoKmu.exe.0.dr, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: catch.exe.9.dr, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.13.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.3.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.7.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: PI.1872GAT02.pdf.exe, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: iDGyQtltoKmu.exe.0.dr, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: catch.exe.9.dr, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.13.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.3.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.7.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_0702D88D push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E5DD39 push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\catch\catch.exeJump to dropped file
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run catchJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run catchJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\catch\catch.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.2797840.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.278f834.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.27d661c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.27bf844.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.27bf844.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.27c7850.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.27c7850.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6904Thread sleep time: -34769s >= -30000s
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6936Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6060Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 2440Thread sleep count: 4166 > 30
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 2440Thread sleep count: 5649 > 30
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 2944Thread sleep time: -37884s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 6308Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 6376Thread sleep time: -33793s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4828Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4528Thread sleep count: 32 > 30
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4528Thread sleep time: -29514790517935264s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 1752Thread sleep count: 3295 > 30
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 1752Thread sleep count: 6529 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6204
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2617
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWindow / User API: threadDelayed 4166
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWindow / User API: threadDelayed 5649
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7657
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 723
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6776
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1753
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWindow / User API: threadDelayed 3295
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWindow / User API: threadDelayed 6529
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 34769
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 37884
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 33793
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139B718 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeMemory written: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeMemory written: C:\Users\user\AppData\Roaming\catch\catch.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeMemory written: C:\Users\user\AppData\Roaming\catch\catch.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553435 Sample: PI.1872GAT02.pdf.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 60 us2.smtp.mailhostbox.com 2->60 62 smtp.tranpotescamdonic.us 2->62 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 12 other signatures 2->78 8 PI.1872GAT02.pdf.exe 7 2->8         started        12 catch.exe 5 2->12         started        14 catch.exe 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\iDGyQtltoKmu.exe, PE32 8->52 dropped 54 C:\Users\...\iDGyQtltoKmu.exe:Zone.Identifier, ASCII 8->54 dropped 56 C:\Users\user\AppData\Local\...\tmpB28A.tmp, XML 8->56 dropped 58 C:\Users\user\...\PI.1872GAT02.pdf.exe.log, ASCII 8->58 dropped 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 8->84 16 PI.1872GAT02.pdf.exe 2 5 8->16         started        20 powershell.exe 25 8->20         started        22 schtasks.exe 1 8->22         started        86 Multi AV Scanner detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 90 Adds a directory exclusion to Windows Defender 12->90 24 powershell.exe 12->24         started        26 schtasks.exe 12->26         started        34 4 other processes 12->34 92 Injects a PE file into a foreign processes 14->92 28 powershell.exe 14->28         started        30 schtasks.exe 14->30         started        32 catch.exe 14->32         started        signatures6 process7 file8 48 C:\Users\user\AppData\Roaming\...\catch.exe, PE32 16->48 dropped 50 C:\Users\user\...\catch.exe:Zone.Identifier, ASCII 16->50 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->64 66 Tries to steal Mail credentials (via file / registry access) 16->66 68 Tries to harvest and steal ftp login credentials 16->68 70 2 other signatures 16->70 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PI.1872GAT02.pdf.exe48%VirustotalBrowse
                      PI.1872GAT02.pdf.exe45%ReversingLabsByteCode-MSIL.Spyware.Noon
                      PI.1872GAT02.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\catch\catch.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\catch\catch.exe47%ReversingLabsByteCode-MSIL.Spyware.Noon
                      C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe47%ReversingLabsByteCode-MSIL.Spyware.Noon

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.0.PI.1872GAT02.pdf.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      32.2.catch.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      9.2.PI.1872GAT02.pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      31.2.catch.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://JZAeubGsK9Sikz.org0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comt#0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm=0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.goodfont.co.kr-e0%Avira URL Cloudsafe
                      http://fontfabrik.comY0%Avira URL Cloudsafe
                      http://www.tiro.com50%Avira URL Cloudsafe
                      http://www.carterandcone.comen0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sandoll.co.kr(0%Avira URL Cloudsafe
                      http://fontfabrik.comH0%URL Reputationsafe
                      http://www.carterandcone.comno0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/.m0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cnr-c0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sandoll.co.krs-c0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnn0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://smtp.tranpotescamdonic.us0%Avira URL Cloudsafe
                      http://oHtnSs.com0%Avira URL Cloudsafe
                      http://www.urwpp.deettr0%Avira URL Cloudsafe
                      http://www.sandoll.c0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.founder.com.cn/cnsk.0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.carterandcone.comk.0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.carterandcone.comicr0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.founder.com.cn/cn/r0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comk0%Avira URL Cloudsafe
                      http://www.carterandcone.comexc0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.urwpp.deQ0%Avira URL Cloudsafe
                      http://www.sajatypeworks.coma)0%Avira URL Cloudsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.carterandcone.comlo0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.goodfont.co.kr.m0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnn-u?0%Avira URL Cloudsafe
                      http://www.carterandcone.comint0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comtX(0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cno.t0%Avira URL Cloudsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.zhongyicts.com.cnlt80%Avira URL Cloudsafe
                      http://www.carterandcone.comos0%Avira URL Cloudsafe
                      http://www.carterandcone.comncy0%URL Reputationsafe
                      http://www.carterandcone.comtigY0%Avira URL Cloudsafe
                      http://www.urwpp.ded0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.224
                      		truefalse
                        		high
                        smtp.tranpotescamdonic.us
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersHPI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpfalse
                            		high
                            http://127.0.0.1:HTTP/1.1PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.com/designersGPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                              		high
                              https://JZAeubGsK9Sikz.orgPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000003.589182184.0000000001144000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comt#PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/?PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htm=PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/bThePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.kr-ePI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://us2.smtp.mailhostbox.comPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpfalse
                                  		high
                                  http://fontfabrik.comYPI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.com5PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comenPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comPI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.kr(PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.fontbureau.com/designersPI.1872GAT02.pdf.exe, 00000000.00000003.349563544.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349795020.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://fontfabrik.comHPI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comnoPI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers0.PI.1872GAT02.pdf.exe, 00000000.00000003.350849136.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350908927.00000000055CB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comPI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/.mPI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnr-cPI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sajatypeworks.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sandoll.co.krs-cPI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.typography.netDPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/cThePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnnPI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmPI.1872GAT02.pdf.exe, 00000000.00000003.355602281.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353253105.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355000874.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353979670.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354410089.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353040919.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355456833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355104139.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354676559.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355798640.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353354516.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353914805.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355661429.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355512777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353605294.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355335081.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354077275.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354188877.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355558253.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354761451.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354807622.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353476286.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353190242.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354585604.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355405169.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353702244.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355713046.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354887021.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386058108.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354288508.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355836459.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353859656.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354936948.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353542324.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355199978.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355256754.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355152588.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353790375.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comPI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341652269.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designerskPI.1872GAT02.pdf.exe, 00000000.00000003.351023238.00000000055CB000.00000004.00000001.sdmpfalse
                                          		high
                                          http://smtp.tranpotescamdonic.usPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://oHtnSs.comcatch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deettrPI.1872GAT02.pdf.exe, 00000000.00000003.348543246.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandoll.cPI.1872GAT02.pdf.exe, 00000000.00000003.344046675.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleasePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%GETMozilla/5.0catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.ascendercorp.com/typedesigners.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346994696.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347052526.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346868051.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346747432.00000000055D3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnsk.PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comk.PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.deDPleasePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.dePI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnPI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comicrPI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, catch.exe, 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, catch.exe, 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/rPI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sajatypeworks.comkPI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.comexcPI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://DynDns.comDynDNScatch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comFPI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comePI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.agfamonotype.PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comdPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comTCPI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deQPI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sajatypeworks.coma)PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.tiro.comlicPI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comloPI.1872GAT02.pdf.exe, 00000000.00000003.346299565.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://en.wPI.1872GAT02.pdf.exe, 00000000.00000003.342428606.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342376975.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342448075.00000000055DA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.ipify.org%$PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.carterandcone.comlPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.goodfont.co.kr.mPI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnn-u?PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comintPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnPI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345017322.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.350538299.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350106929.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350231749.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350179211.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350438951.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350272250.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350205792.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350063993.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350314698.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350585382.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350462344.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350509924.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350082934.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350165532.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350027194.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350418250.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350130711.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350397111.00000000055EE000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.350740671.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350834095.00000000055EE000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comtX(PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.zhongyicts.com.cno.tPI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.monotype.PI.1872GAT02.pdf.exe, 00000000.00000003.347717700.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347673213.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343671517.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343603284.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347806036.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347629233.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.zhongyicts.com.cnlt8PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comosPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comncyPI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers:PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comtigYPI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.urwpp.dedPI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers2PI.1872GAT02.pdf.exe, 00000000.00000003.348918399.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349002423.00000000055D0000.00000004.00000001.sdmpfalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                Analysis ID:553435
                                                                Start date:14.01.2022
                                                                Start time:22:21:14
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 24s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:PI.1872GAT02.pdf.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:41
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@33/19@2/0
                                                                EGA Information:
                                                                • Successful, ratio: 80%
                                                                HDC Information:
                                                                • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                                • Quality average: 65.1%
                                                                • Quality standard deviation: 35.6%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                • Execution Graph export aborted for target catch.exe, PID 3500 because there are no executed function
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                22:22:20API Interceptor596x Sleep call for process: PI.1872GAT02.pdf.exe modified
                                                                22:22:24API Interceptor88x Sleep call for process: powershell.exe modified
                                                                22:22:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run catch C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                22:23:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run catch C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                22:23:08API Interceptor244x Sleep call for process: catch.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI.1872GAT02.pdf.exe.log
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1310
                                                                Entropy (8bit):5.345651901398759
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\catch.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1310
                                                                Entropy (8bit):5.345651901398759
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):22168
                                                                Entropy (8bit):5.6057066113124625
                                                                Encrypted:false
                                                                SSDEEP:384:ztCDLqyZp0WR0Xe0/RcSBKn4jultIa/paeQ99gtbcxyT1MaDZlbAV7G3WDyZBDIN:s0WRIe0C4K4Clt1Rat8hZC6fwy1VK
                                                                MD5:53C520BE8CDC6F6BF16863F4BB562638
                                                                SHA1:70391CC67D9B586AAC373FBF7DF6C70669BB4776
                                                                SHA-256:8129FB32F8FCC386F60B0C6E0EF92F1322B254CAB0A4DFE00F099F140F2A4E0D
                                                                SHA-512:A5CFCE49E18815C18805C650FCF7E6369940D88B01CE4D2F7B3D994F8836946B727F5757B4B95AB68E991AE76EB39F3C3D8D650557886BD0D87326F03D55937B
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: @...e...........]...................Q...x.v..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qysiocw.gzb.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajno0yrk.14b.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixzoiwgh.ddw.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kawb1whi.elv.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmd43qat.nwn.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2btzcjm.l41.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):596992
                                                                Entropy (8bit):7.236697493708965
                                                                Encrypted:false
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                MD5:1396637598469E7E918C70BE938370D5
                                                                SHA1:C83510C66F043C3595960102AC030A3C99656768
                                                                SHA-256:D6F3D5FBDC9C7F68E29260BADB6FD6E8F1B606798FD9FE544E0B28387F21EAF9
                                                                SHA-512:FA0CF9DCFB5F5AB5397BDDFF5642898028CC72F197B07BE439EA90CD6BCA0E8B821CE5E9BB59DE505A5F26462514CB1F3A19C517EFC9DC6784E55EB072CF924C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@..................................0..K....@.......................`......F0............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........f..........E.......*.............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... .....::...&..E................0...........j.......8.... ............E....Z...x...........r...~...>...r.......Z...@...8...............(...R... ....8....8N...r...p.(...... .....:....&..(..... ........8u...8....r5..p.(...... ....8]...8....rc..p.(...... .....9@...&.9.... ........8'...8....r...p.(..
                                                                C:\Users\user\AppData\Roaming\catch\catch.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):596992
                                                                Entropy (8bit):7.236697493708965
                                                                Encrypted:false
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                MD5:1396637598469E7E918C70BE938370D5
                                                                SHA1:C83510C66F043C3595960102AC030A3C99656768
                                                                SHA-256:D6F3D5FBDC9C7F68E29260BADB6FD6E8F1B606798FD9FE544E0B28387F21EAF9
                                                                SHA-512:FA0CF9DCFB5F5AB5397BDDFF5642898028CC72F197B07BE439EA90CD6BCA0E8B821CE5E9BB59DE505A5F26462514CB1F3A19C517EFC9DC6784E55EB072CF924C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@..................................0..K....@.......................`......F0............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........f..........E.......*.............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... .....::...&..E................0...........j.......8.... ............E....Z...x...........r...~...>...r.......Z...@...8...............(...R... ....8....8N...r...p.(...... .....:....&..(..... ........8u...8....r5..p.(...... ....8]...8....rc..p.(...... .....9@...&.9.... ........8'...8....r...p.(..
                                                                C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.QGssXbBu.20220114222222.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.377704252121327
                                                                Encrypted:false
                                                                SSDEEP:96:BZRTLKN+qDo1ZPZkTLKN+qDo1ZyxDpjZdTLKN+qDo1ZPE553Zg:f
                                                                MD5:71D228AAF492D79076B73C9D2B27013A
                                                                SHA1:0A86EAB450B1CD81557CCF72E31E7C803F9AB44A
                                                                SHA-256:A8517EDF2BC36DF48DF3C3E13A0BE1BA07B132AD0D1F54FC09979F9299470954
                                                                SHA-512:893BB62391D84D9A6828EC3E1616CB6670D4A6F55ABD71D624C9B21E430F9939D08577F6F6DACEE7D3ED8FFDD33CC38E7EC6E9BD7F410C75BCA07ABABCCB0C67
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222223..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 5588..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222223..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222545..Username: computer\user..RunAs User: D
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.b0jiOviu.20220114222318.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.371678692143556
                                                                Encrypted:false
                                                                SSDEEP:96:BZcTLKNKtqDo1ZIZqTLKNKtqDo1ZIxDpjZ/TLKNKtqDo1ZZE55JZa:H
                                                                MD5:9856AC8EDA71C81081373075C63B1FBF
                                                                SHA1:1127A82E408E284F58970BFC492FDF3155D7F1CA
                                                                SHA-256:67D2D901C2AE839AC5BB8A3D65AA9772BF9E469B5BFE055CDB8B12E02C1ABFBC
                                                                SHA-512:F757EBE94C7E5248B1F858B80737A345393361E8B5B587B3FF88FCEAE7BADE7D3446FED4E838112CB59A362520B57523CFF2B0D163177C05AD0075F63D52EB22
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222321..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 5612..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222321..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222631..Username: computer\user..RunAs User: D
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.dHeZQIbB.20220114222311.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.373267333914756
                                                                Encrypted:false
                                                                SSDEEP:96:BZ+TLKNXqDo1ZyZCTLKNXqDo1ZIxDpjZ0TLKNXqDo1ZcE554ZH:4
                                                                MD5:85283F0F6FA628A82FFF3E0E79A83DEC
                                                                SHA1:3917D8CD74B27A603CB7B1FCA06B2BD6522617C6
                                                                SHA-256:81EE9C2B79D72E329B1A5B6F9043F27224D36E967C0BCBADA6E9DE1D37B7438F
                                                                SHA-512:ABE8FEC327AB41D49175A18483020C6BE91D04863324885C4F4AD01BC275A6C17EA800D62D7D6A152AC29B0DE46D002ECFE92C2E06EA0EBC829F48307787ECF1
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 4656..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222312..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222705..Username: computer\user..RunAs User: D

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.236697493708965
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:PI.1872GAT02.pdf.exe
                                                                File size:596992
                                                                MD5:1396637598469e7e918c70be938370d5
                                                                SHA1:c83510c66f043c3595960102ac030a3c99656768
                                                                SHA256:d6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9
                                                                SHA512:fa0cf9dcfb5f5ab5397bddff5642898028cc72f197b07be439ea90cd6bca0e8b821ce5e9bb59de505a5f26462514cb1f3a19c517efc9dc6784e55eb072cf924c
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4930de
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x61E14017 [Fri Jan 14 09:19:19 2022 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x930900x4b.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x5c4.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x930460x1c.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x910e40x91200False0.758032878445data7.24659563485IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x940000x5c40x600False0.431640625data4.11817059658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x960000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0x940a00x336data
                                                                RT_MANIFEST0x943d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyright2022 Tradewell
                                                                Assembly Version22.0.0.0
                                                                InternalNameTextIn.exe
                                                                FileVersion1.1.0.0
                                                                CompanyNameTradewell ltd
                                                                LegalTrademarks
                                                                CommentsPurple Org
                                                                ProductNameBlaster
                                                                ProductVersion1.1.0.0
                                                                FileDescriptionBlaster
                                                                OriginalFilenameTextIn.exe

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                01/14/22-22:24:16.780887TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49845587192.168.2.6208.91.199.224
                                                                01/14/22-22:24:18.553611TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49846587192.168.2.6208.91.199.224

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 14, 2022 22:24:15.108119965 CET4969453192.168.2.68.8.8.8
                                                                Jan 14, 2022 22:24:15.262865067 CET53496948.8.8.8192.168.2.6
                                                                Jan 14, 2022 22:24:15.266561031 CET5498253192.168.2.68.8.8.8
                                                                Jan 14, 2022 22:24:15.432521105 CET53549828.8.8.8192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Jan 14, 2022 22:24:15.108119965 CET192.168.2.68.8.8.80x3206Standard query (0)smtp.tranpotescamdonic.usA (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.266561031 CET192.168.2.68.8.8.80x4bb1Standard query (0)smtp.tranpotescamdonic.usA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)smtp.tranpotescamdonic.usus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)smtp.tranpotescamdonic.usus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: PI.1872GAT02.pdf.exe PID: 6900 Parent PID: 1268

                                                                General

                                                                Start time:22:22:10
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\PI.1872GAT02.pdf.exe"
                                                                Imagebase:0x2c0000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: powershell.exe PID: 5588 Parent PID: 6900

                                                                General

                                                                Start time:22:22:21
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 1752 Parent PID: 5588

                                                                General

                                                                Start time:22:22:22
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: schtasks.exe PID: 3500 Parent PID: 6900

                                                                General

                                                                Start time:22:22:22
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 4536 Parent PID: 3500

                                                                General

                                                                Start time:22:22:23
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: PI.1872GAT02.pdf.exe PID: 6360 Parent PID: 6900

                                                                General

                                                                Start time:22:22:24
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Imagebase:0xb60000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: catch.exe PID: 5320 Parent PID: 3440

                                                                General

                                                                Start time:22:23:02
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\catch\catch.exe"
                                                                Imagebase:0x310000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 47%, ReversingLabs
                                                                Reputation:low

                                                                Analysis Process: powershell.exe PID: 4656 Parent PID: 5320

                                                                General

                                                                Start time:22:23:09
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 5088 Parent PID: 4656

                                                                General

                                                                Start time:22:23:10
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: catch.exe PID: 2772 Parent PID: 3440

                                                                General

                                                                Start time:22:23:10
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\catch\catch.exe"
                                                                Imagebase:0x360000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: schtasks.exe PID: 4592 Parent PID: 5320

                                                                General

                                                                Start time:22:23:11
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 4712 Parent PID: 4592

                                                                General

                                                                Start time:22:23:12
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: catch.exe PID: 3500 Parent PID: 5320

                                                                General

                                                                Start time:22:23:13
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x270000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                Analysis Process: catch.exe PID: 4768 Parent PID: 5320

                                                                General

                                                                Start time:22:23:15
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x3d0000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                Analysis Process: powershell.exe PID: 5612 Parent PID: 2772

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 4368 Parent PID: 5612

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: catch.exe PID: 2292 Parent PID: 5320

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x330000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: schtasks.exe PID: 6632 Parent PID: 2772

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: conhost.exe PID: 2988 Parent PID: 6632

                                                                General

                                                                Start time:22:23:19
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: catch.exe PID: 4860 Parent PID: 5320

                                                                General

                                                                Start time:22:23:20
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x940000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                Analysis Process: catch.exe PID: 2948 Parent PID: 2772

                                                                General

                                                                Start time:22:23:20
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x990000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >