Windows Analysis Report
QUOTATION PDF_SCAN_COPY.exe

Overview

General Information

Sample Name: QUOTATION PDF_SCAN_COPY.exe
Analysis ID: 563220
MD5: 5e9af5b2056e4da639a9459e3b36193c
SHA1: b779402e9a6ecbbef6b68817814991bbcade12df
SHA256: 35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.faireez.club/n2t4/"], "decoy": ["livingthroughthechaos.net", "videobuzzmedia.com", "felineformulas.com", "theorganicbees.com", "bizoeflow.com", "gtbcked.com", "immortalapenft.com", "pacherasrl.com", "defunddrip.black", "fromefarm.com", "newmedicalnetwork.com", "nikosblue.com", "kaecfu.online", "arcane-stylish.com", "7ox.info", "osamaabuzawayed.com", "noemielatour.com", "baccaratjava.com", "latinfoodandwinefestival.com", "magiclandstudios.com", "shazpe.com", "businessmanbazar.com", "lifewithkatiewright.com", "themarketingideascatalog.com", "nickbrizhoops.com", "esportsgamertv.com", "delinointeriores.com", "connotatetechnologies.net", "cybomatic.cloud", "correctmakling.site", "thammydora.com", "ageingwellhomecare.com", "fleetwoodjobshop.site", "jakulo.com", "drbaren.com", "newpointstudio.com", "yxuqamnj.com", "spiritsyncing.net", "hy963app.com", "rnp-trading-lukoil.com", "bowlesuniverse.com", "fumigacionesecouniversal.com", "vulvip.com", "heppi.pro", "preetiplease.com", "gemini-hk.icu", "allyazek24.xyz", "blackbratapparelcompany.com", "immersivenm.com", "mystoragewarehouse.com", "dvjdob.icu", "mecanicadesuelosrancagua.one", "cayugacommunitysolar.com", "parizes.site", "vpsincnas.com", "tattoo-marketplace.online", "garadapatngklgamazon.com", "signa.info", "simplegourmetpa.com", "quintanaroopt.com", "studio-goettingen.com", "brimhi.com", "fabula-glass.com", "1049hubertrd.com"]}
Multi AV Scanner detection for submitted file
Source: QUOTATION PDF_SCAN_COPY.exe Virustotal: Detection: 42% Perma Link
Source: QUOTATION PDF_SCAN_COPY.exe Metadefender: Detection: 29% Perma Link
Source: QUOTATION PDF_SCAN_COPY.exe ReversingLabs: Detection: 32%
Yara detected FormBook
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\KHDScDG.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Roaming\KHDScDG.exe ReversingLabs: Detection: 32%
Machine Learning detection for sample
Source: QUOTATION PDF_SCAN_COPY.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\KHDScDG.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: zrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\lzrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, KHDScDG.exe.1.dr
Source: Binary string: wlanext.pdbGCTL source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 4x nop then pop edi 11_2_00416CDE
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 4x nop then pop edi 11_2_00417D51
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop edi 19_2_03287D51
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop edi 19_2_03286CDE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.faireez.club/n2t4/
Source: explorer.exe, 0000001A.00000002.976108228.00000000080F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.948419680.00000000080F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745478312.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: QUOTATION PDF_SCAN_COPY.exe
Source: initial sample Static PE information: Filename: QUOTATION PDF_SCAN_COPY.exe
Uses 32bit PE files
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_00774D5B 1_2_00774D5B
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_0116E6B0 1_2_0116E6B0
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_0116C254 1_2_0116C254
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_0116E6A0 1_2_0116E6A0
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00401030 11_2_00401030
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041E0E3 11_2_0041E0E3
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041DABE 11_2_0041DABE
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00402D90 11_2_00402D90
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041E640 11_2_0041E640
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00409E50 11_2_00409E50
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041E61E 11_2_0041E61E
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041D722 11_2_0041D722
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00402FB0 11_2_00402FB0
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_005A4D5B 11_2_005A4D5B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AB40 19_2_0350AB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B2B28 19_2_035B2B28
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A03DA 19_2_035A03DA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035ADBD2 19_2_035ADBD2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351EBB0 19_2_0351EBB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359FA2B 19_2_0359FA2B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B22AE 19_2_035B22AE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EF900 19_2_034EF900
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1002 19_2_035A1002
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035BE824 19_2_035BE824
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B28EC 19_2_035B28EC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FB090 19_2_034FB090
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B20A8 19_2_035B20A8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035BDFCE 19_2_035BDFCE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B1FF1 19_2_035B1FF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AD616 19_2_035AD616
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03506E30 19_2_03506E30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B2EF7 19_2_035B2EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B1D55 19_2_035B1D55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B2D07 19_2_035B2D07
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E0D20 19_2_034E0D20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B25DD 19_2_035B25DD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FD5E0 19_2_034FD5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512581 19_2_03512581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AD466 19_2_035AD466
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F841F 19_2_034F841F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328E0A1 19_2_0328E0A1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328E0BA 19_2_0328E0BA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328E0DB 19_2_0328E0DB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03272FB0 19_2_03272FB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328E61E 19_2_0328E61E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328E640 19_2_0328E640
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03279E50 19_2_03279E50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03272D90 19_2_03272D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 034EB150 appears 48 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A350 NtCreateFile, 11_2_0041A350
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A400 NtReadFile, 11_2_0041A400
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A480 NtClose, 11_2_0041A480
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A530 NtAllocateVirtualMemory, 11_2_0041A530
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A34A NtCreateFile, 11_2_0041A34A
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A484 NtClose, 11_2_0041A484
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041A52D NtAllocateVirtualMemory, 11_2_0041A52D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529A50 NtCreateFile,LdrInitializeThunk, 19_2_03529A50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_03529910
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035299A0 NtCreateSection,LdrInitializeThunk, 19_2_035299A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529840 NtDelayExecution,LdrInitializeThunk, 19_2_03529840
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_03529860
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529710 NtQueryInformationToken,LdrInitializeThunk, 19_2_03529710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529FE0 NtCreateMutant,LdrInitializeThunk, 19_2_03529FE0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529780 NtMapViewOfSection,LdrInitializeThunk, 19_2_03529780
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529650 NtQueryValueKey,LdrInitializeThunk, 19_2_03529650
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_03529660
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035296D0 NtCreateKey,LdrInitializeThunk, 19_2_035296D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035296E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_035296E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529540 NtReadFile,LdrInitializeThunk, 19_2_03529540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035295D0 NtClose,LdrInitializeThunk, 19_2_035295D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529B00 NtSetValueKey, 19_2_03529B00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352A3B0 NtGetContextThread, 19_2_0352A3B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529A10 NtQuerySection, 19_2_03529A10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529A00 NtProtectVirtualMemory, 19_2_03529A00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529A20 NtResumeThread, 19_2_03529A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529A80 NtOpenDirectoryObject, 19_2_03529A80
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529950 NtQueueApcThread, 19_2_03529950
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035299D0 NtCreateProcessEx, 19_2_035299D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352B040 NtSuspendThread, 19_2_0352B040
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529820 NtEnumerateKey, 19_2_03529820
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035298F0 NtReadVirtualMemory, 19_2_035298F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035298A0 NtWriteVirtualMemory, 19_2_035298A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352A770 NtOpenThread, 19_2_0352A770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529770 NtSetInformationFile, 19_2_03529770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529760 NtOpenProcess, 19_2_03529760
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352A710 NtOpenProcessToken, 19_2_0352A710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529730 NtQueryVirtualMemory, 19_2_03529730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035297A0 NtUnmapViewOfSection, 19_2_035297A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529670 NtQueryInformationProcess, 19_2_03529670
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529610 NtEnumerateValueKey, 19_2_03529610
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529560 NtWriteFile, 19_2_03529560
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352AD30 NtSetContextThread, 19_2_0352AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03529520 NtWaitForSingleObject, 19_2_03529520
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035295F0 NtQueryInformationFile, 19_2_035295F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A350 NtCreateFile, 19_2_0328A350
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A530 NtAllocateVirtualMemory, 19_2_0328A530
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A400 NtReadFile, 19_2_0328A400
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A480 NtClose, 19_2_0328A480
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A34A NtCreateFile, 19_2_0328A34A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A52D NtAllocateVirtualMemory, 19_2_0328A52D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328A484 NtClose, 19_2_0328A484
Sample file is different than original file name gathered from version info
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.744721256.00000000007F6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.751804560.0000000007290000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.837055363.000000000126F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000000.740634191.0000000000626000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.745342764.0000000000F3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838741595.00000000030D2000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe Binary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KHDScDG.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QUOTATION PDF_SCAN_COPY.exe Virustotal: Detection: 42%
Source: QUOTATION PDF_SCAN_COPY.exe Metadefender: Detection: 29%
Source: QUOTATION PDF_SCAN_COPY.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File read: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe:Zone.Identifier Jump to behavior
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File created: C:\Users\user\AppData\Roaming\KHDScDG.exe Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File created: C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/8@0/0
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: QUOTATION PDF_SCAN_COPY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: zrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\lzrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, KHDScDG.exe.1.dr
Source: Binary string: wlanext.pdbGCTL source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: QUOTATION PDF_SCAN_COPY.exe, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: KHDScDG.exe.1.dr, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.QUOTATION PDF_SCAN_COPY.exe.770000.0.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.770000.0.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.7.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.3.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.5a0000.1.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.5.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.9.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.1.unpack, LineNumberInfo/FormControl.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_00773F6D push es; ret 1_2_00773F74
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 1_2_00773F43 push es; retn 0000h 1_2_00773F4A
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00416971 push 0622FF2Ah; iretd 11_2_0041697B
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041D4F2 push eax; ret 11_2_0041D4F8
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041D4FB push eax; ret 11_2_0041D562
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041D4A5 push eax; ret 11_2_0041D4F8
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0041D55C push eax; ret 11_2_0041D562
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_005A3F43 push es; retn 0000h 11_2_005A3F4A
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_005A3F6D push es; ret 11_2_005A3F74
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0353D0D1 push ecx; ret 19_2_0353D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328DB3B pushfd ; retf 19_2_0328DB41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03286971 push 0622FF2Ah; iretd 19_2_0328697B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328D55C push eax; ret 19_2_0328D562
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328D4A5 push eax; ret 19_2_0328D4F8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328D4FB push eax; ret 19_2_0328D562
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0328D4F2 push eax; ret 19_2_0328D4F8
Source: initial sample Static PE information: section name: .text entropy: 7.40361532396
Source: initial sample Static PE information: section name: .text entropy: 7.40361532396

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe File created: C:\Users\user\AppData\Roaming\KHDScDG.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wlanext.exe Process created: /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
Source: C:\Windows\SysWOW64\wlanext.exe Process created: /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATION PDF_SCAN_COPY.exe PID: 6844, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000003279904 second address: 000000000327990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000003279B6E second address: 0000000003279B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe TID: 6840 Thread sleep time: -40434s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe TID: 6992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00409AA0 rdtsc 11_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7155 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1220 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\wlanext.exe API coverage: 9.1 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread delayed: delay time: 40434 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000D.00000000.822859782.0000000004791000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.759263988.000000000A897000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000001A.00000002.973762856.0000000004514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000D.00000000.753506570.0000000006650000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.757508985.000000000A60E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000002.973762856.0000000004514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}KTOP
Source: explorer.exe, 0000001A.00000000.948419680.00000000080F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001A.00000000.946402054.00000000060E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000b
Source: explorer.exe, 0000000D.00000000.751020546.0000000004710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000D.00000000.760746983.000000000FD2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&d
Source: explorer.exe, 0000000D.00000000.772627409.000000000A784000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000001A.00000002.975771348.0000000007F9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000s
Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_00409AA0 rdtsc 11_2_00409AA0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8B58 mov eax, dword ptr fs:[00000030h] 19_2_035B8B58
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EDB40 mov eax, dword ptr fs:[00000030h] 19_2_034EDB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EF358 mov eax, dword ptr fs:[00000030h] 19_2_034EF358
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03513B7A mov eax, dword ptr fs:[00000030h] 19_2_03513B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03513B7A mov eax, dword ptr fs:[00000030h] 19_2_03513B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EDB60 mov ecx, dword ptr fs:[00000030h] 19_2_034EDB60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A131B mov eax, dword ptr fs:[00000030h] 19_2_035A131B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035653CA mov eax, dword ptr fs:[00000030h] 19_2_035653CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035653CA mov eax, dword ptr fs:[00000030h] 19_2_035653CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h] 19_2_035103E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350DBE9 mov eax, dword ptr fs:[00000030h] 19_2_0350DBE9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F1B8F mov eax, dword ptr fs:[00000030h] 19_2_034F1B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F1B8F mov eax, dword ptr fs:[00000030h] 19_2_034F1B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351B390 mov eax, dword ptr fs:[00000030h] 19_2_0351B390
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512397 mov eax, dword ptr fs:[00000030h] 19_2_03512397
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A138A mov eax, dword ptr fs:[00000030h] 19_2_035A138A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359D380 mov ecx, dword ptr fs:[00000030h] 19_2_0359D380
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h] 19_2_03514BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h] 19_2_03514BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h] 19_2_03514BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B5BA5 mov eax, dword ptr fs:[00000030h] 19_2_035B5BA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03574257 mov eax, dword ptr fs:[00000030h] 19_2_03574257
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h] 19_2_034E9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h] 19_2_034E9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h] 19_2_034E9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h] 19_2_034E9240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AEA55 mov eax, dword ptr fs:[00000030h] 19_2_035AEA55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0352927A mov eax, dword ptr fs:[00000030h] 19_2_0352927A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359B260 mov eax, dword ptr fs:[00000030h] 19_2_0359B260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359B260 mov eax, dword ptr fs:[00000030h] 19_2_0359B260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8A62 mov eax, dword ptr fs:[00000030h] 19_2_035B8A62
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F8A0A mov eax, dword ptr fs:[00000030h] 19_2_034F8A0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03503A1C mov eax, dword ptr fs:[00000030h] 19_2_03503A1C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AAA16 mov eax, dword ptr fs:[00000030h] 19_2_035AAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AAA16 mov eax, dword ptr fs:[00000030h] 19_2_035AAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EAA16 mov eax, dword ptr fs:[00000030h] 19_2_034EAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EAA16 mov eax, dword ptr fs:[00000030h] 19_2_034EAA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h] 19_2_034E5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E5210 mov ecx, dword ptr fs:[00000030h] 19_2_034E5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h] 19_2_034E5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h] 19_2_034E5210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h] 19_2_0350A229
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03524A2C mov eax, dword ptr fs:[00000030h] 19_2_03524A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03524A2C mov eax, dword ptr fs:[00000030h] 19_2_03524A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512ACB mov eax, dword ptr fs:[00000030h] 19_2_03512ACB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512AE4 mov eax, dword ptr fs:[00000030h] 19_2_03512AE4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351D294 mov eax, dword ptr fs:[00000030h] 19_2_0351D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351D294 mov eax, dword ptr fs:[00000030h] 19_2_0351D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351FAB0 mov eax, dword ptr fs:[00000030h] 19_2_0351FAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h] 19_2_034E52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h] 19_2_034E52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h] 19_2_034E52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h] 19_2_034E52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h] 19_2_034E52A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_034FAAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_034FAAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350B944 mov eax, dword ptr fs:[00000030h] 19_2_0350B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350B944 mov eax, dword ptr fs:[00000030h] 19_2_0350B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EC962 mov eax, dword ptr fs:[00000030h] 19_2_034EC962
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EB171 mov eax, dword ptr fs:[00000030h] 19_2_034EB171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EB171 mov eax, dword ptr fs:[00000030h] 19_2_034EB171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h] 19_2_034E9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h] 19_2_034E9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h] 19_2_034E9100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351513A mov eax, dword ptr fs:[00000030h] 19_2_0351513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351513A mov eax, dword ptr fs:[00000030h] 19_2_0351513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 mov eax, dword ptr fs:[00000030h] 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 mov eax, dword ptr fs:[00000030h] 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 mov eax, dword ptr fs:[00000030h] 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 mov eax, dword ptr fs:[00000030h] 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03504120 mov ecx, dword ptr fs:[00000030h] 19_2_03504120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_034EB1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_034EB1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_034EB1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035741E8 mov eax, dword ptr fs:[00000030h] 19_2_035741E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512990 mov eax, dword ptr fs:[00000030h] 19_2_03512990
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350C182 mov eax, dword ptr fs:[00000030h] 19_2_0350C182
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A185 mov eax, dword ptr fs:[00000030h] 19_2_0351A185
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035651BE mov eax, dword ptr fs:[00000030h] 19_2_035651BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035651BE mov eax, dword ptr fs:[00000030h] 19_2_035651BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035651BE mov eax, dword ptr fs:[00000030h] 19_2_035651BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035651BE mov eax, dword ptr fs:[00000030h] 19_2_035651BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035669A6 mov eax, dword ptr fs:[00000030h] 19_2_035669A6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035161A0 mov eax, dword ptr fs:[00000030h] 19_2_035161A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035161A0 mov eax, dword ptr fs:[00000030h] 19_2_035161A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h] 19_2_035A49A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h] 19_2_035A49A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h] 19_2_035A49A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h] 19_2_035A49A4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03500050 mov eax, dword ptr fs:[00000030h] 19_2_03500050
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03500050 mov eax, dword ptr fs:[00000030h] 19_2_03500050
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A2073 mov eax, dword ptr fs:[00000030h] 19_2_035A2073
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B1074 mov eax, dword ptr fs:[00000030h] 19_2_035B1074
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567016 mov eax, dword ptr fs:[00000030h] 19_2_03567016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567016 mov eax, dword ptr fs:[00000030h] 19_2_03567016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567016 mov eax, dword ptr fs:[00000030h] 19_2_03567016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B4015 mov eax, dword ptr fs:[00000030h] 19_2_035B4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B4015 mov eax, dword ptr fs:[00000030h] 19_2_035B4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h] 19_2_034FB02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h] 19_2_034FB02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h] 19_2_034FB02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h] 19_2_034FB02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351002D mov eax, dword ptr fs:[00000030h] 19_2_0351002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351002D mov eax, dword ptr fs:[00000030h] 19_2_0351002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351002D mov eax, dword ptr fs:[00000030h] 19_2_0351002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351002D mov eax, dword ptr fs:[00000030h] 19_2_0351002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351002D mov eax, dword ptr fs:[00000030h] 19_2_0351002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov ecx, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h] 19_2_0357B8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E58EC mov eax, dword ptr fs:[00000030h] 19_2_034E58EC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h] 19_2_034E40E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h] 19_2_034E40E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h] 19_2_034E40E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E9080 mov eax, dword ptr fs:[00000030h] 19_2_034E9080
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03563884 mov eax, dword ptr fs:[00000030h] 19_2_03563884
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03563884 mov eax, dword ptr fs:[00000030h] 19_2_03563884
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351F0BF mov ecx, dword ptr fs:[00000030h] 19_2_0351F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351F0BF mov eax, dword ptr fs:[00000030h] 19_2_0351F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351F0BF mov eax, dword ptr fs:[00000030h] 19_2_0351F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h] 19_2_035120A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035290AF mov eax, dword ptr fs:[00000030h] 19_2_035290AF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FEF40 mov eax, dword ptr fs:[00000030h] 19_2_034FEF40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FFF60 mov eax, dword ptr fs:[00000030h] 19_2_034FFF60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8F6A mov eax, dword ptr fs:[00000030h] 19_2_035B8F6A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350F716 mov eax, dword ptr fs:[00000030h] 19_2_0350F716
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357FF10 mov eax, dword ptr fs:[00000030h] 19_2_0357FF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357FF10 mov eax, dword ptr fs:[00000030h] 19_2_0357FF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B070D mov eax, dword ptr fs:[00000030h] 19_2_035B070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B070D mov eax, dword ptr fs:[00000030h] 19_2_035B070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A70E mov eax, dword ptr fs:[00000030h] 19_2_0351A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A70E mov eax, dword ptr fs:[00000030h] 19_2_0351A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E4F2E mov eax, dword ptr fs:[00000030h] 19_2_034E4F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E4F2E mov eax, dword ptr fs:[00000030h] 19_2_034E4F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351E730 mov eax, dword ptr fs:[00000030h] 19_2_0351E730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035237F5 mov eax, dword ptr fs:[00000030h] 19_2_035237F5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567794 mov eax, dword ptr fs:[00000030h] 19_2_03567794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567794 mov eax, dword ptr fs:[00000030h] 19_2_03567794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03567794 mov eax, dword ptr fs:[00000030h] 19_2_03567794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F8794 mov eax, dword ptr fs:[00000030h] 19_2_034F8794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h] 19_2_034F7E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AAE44 mov eax, dword ptr fs:[00000030h] 19_2_035AAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AAE44 mov eax, dword ptr fs:[00000030h] 19_2_035AAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F766D mov eax, dword ptr fs:[00000030h] 19_2_034F766D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h] 19_2_0350AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h] 19_2_0350AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h] 19_2_0350AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h] 19_2_0350AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h] 19_2_0350AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A61C mov eax, dword ptr fs:[00000030h] 19_2_0351A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A61C mov eax, dword ptr fs:[00000030h] 19_2_0351A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h] 19_2_034EC600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h] 19_2_034EC600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h] 19_2_034EC600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03518E00 mov eax, dword ptr fs:[00000030h] 19_2_03518E00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1608 mov eax, dword ptr fs:[00000030h] 19_2_035A1608
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359FE3F mov eax, dword ptr fs:[00000030h] 19_2_0359FE3F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EE620 mov eax, dword ptr fs:[00000030h] 19_2_034EE620
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8ED6 mov eax, dword ptr fs:[00000030h] 19_2_035B8ED6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03528EC7 mov eax, dword ptr fs:[00000030h] 19_2_03528EC7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0359FEC0 mov eax, dword ptr fs:[00000030h] 19_2_0359FEC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035136CC mov eax, dword ptr fs:[00000030h] 19_2_035136CC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F76E2 mov eax, dword ptr fs:[00000030h] 19_2_034F76E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035116E0 mov ecx, dword ptr fs:[00000030h] 19_2_035116E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357FE87 mov eax, dword ptr fs:[00000030h] 19_2_0357FE87
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035646A7 mov eax, dword ptr fs:[00000030h] 19_2_035646A7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h] 19_2_035B0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h] 19_2_035B0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h] 19_2_035B0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03507D50 mov eax, dword ptr fs:[00000030h] 19_2_03507D50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03523D43 mov eax, dword ptr fs:[00000030h] 19_2_03523D43
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03563540 mov eax, dword ptr fs:[00000030h] 19_2_03563540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03593D40 mov eax, dword ptr fs:[00000030h] 19_2_03593D40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350C577 mov eax, dword ptr fs:[00000030h] 19_2_0350C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350C577 mov eax, dword ptr fs:[00000030h] 19_2_0350C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0356A537 mov eax, dword ptr fs:[00000030h] 19_2_0356A537
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AE539 mov eax, dword ptr fs:[00000030h] 19_2_035AE539
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h] 19_2_03514D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h] 19_2_03514D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h] 19_2_03514D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8D34 mov eax, dword ptr fs:[00000030h] 19_2_035B8D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h] 19_2_034F3D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034EAD30 mov eax, dword ptr fs:[00000030h] 19_2_034EAD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov ecx, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h] 19_2_03566DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03598DF1 mov eax, dword ptr fs:[00000030h] 19_2_03598DF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_034FD5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_034FD5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h] 19_2_035AFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h] 19_2_035AFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h] 19_2_035AFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h] 19_2_035AFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h] 19_2_034E2D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h] 19_2_034E2D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h] 19_2_034E2D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h] 19_2_034E2D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h] 19_2_034E2D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351FD9B mov eax, dword ptr fs:[00000030h] 19_2_0351FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351FD9B mov eax, dword ptr fs:[00000030h] 19_2_0351FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512581 mov eax, dword ptr fs:[00000030h] 19_2_03512581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512581 mov eax, dword ptr fs:[00000030h] 19_2_03512581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512581 mov eax, dword ptr fs:[00000030h] 19_2_03512581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03512581 mov eax, dword ptr fs:[00000030h] 19_2_03512581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h] 19_2_03511DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h] 19_2_03511DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h] 19_2_03511DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035135A1 mov eax, dword ptr fs:[00000030h] 19_2_035135A1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B05AC mov eax, dword ptr fs:[00000030h] 19_2_035B05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B05AC mov eax, dword ptr fs:[00000030h] 19_2_035B05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357C450 mov eax, dword ptr fs:[00000030h] 19_2_0357C450
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0357C450 mov eax, dword ptr fs:[00000030h] 19_2_0357C450
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351A44B mov eax, dword ptr fs:[00000030h] 19_2_0351A44B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0350746D mov eax, dword ptr fs:[00000030h] 19_2_0350746D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B740D mov eax, dword ptr fs:[00000030h] 19_2_035B740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B740D mov eax, dword ptr fs:[00000030h] 19_2_035B740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B740D mov eax, dword ptr fs:[00000030h] 19_2_035B740D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h] 19_2_035A1C06
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h] 19_2_03566C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h] 19_2_03566C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h] 19_2_03566C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h] 19_2_03566C0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_0351BC2C mov eax, dword ptr fs:[00000030h] 19_2_0351BC2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035B8CD6 mov eax, dword ptr fs:[00000030h] 19_2_035B8CD6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_035A14FB mov eax, dword ptr fs:[00000030h] 19_2_035A14FB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h] 19_2_03566CF0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h] 19_2_03566CF0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h] 19_2_03566CF0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 19_2_034F849B mov eax, dword ptr fs:[00000030h] 19_2_034F849B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Code function: 11_2_0040ACE0 LdrLoadDll, 11_2_0040ACE0
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 8C0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Memory written: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 3424 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Process created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" Jump to behavior
Source: explorer.exe, 0000001A.00000000.933779947.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.972145544.00000000004C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GProgman
Source: explorer.exe, 0000000D.00000000.748886888.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.815138402.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.764707107.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.788437587.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.941915708.0000000004890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973945756.0000000004890000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.941915708.0000000004890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973945756.0000000004890000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.757932990.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd5D
Source: explorer.exe, 0000001A.00000000.939303003.0000000004549000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.918656126.000000000455D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.918996216.000000000455D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973826164.0000000004549000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanR

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 563220 Sample: QUOTATION PDF_SCAN_COPY.exe Startdate: 31/01/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 14 other signatures 2->50 10 QUOTATION PDF_SCAN_COPY.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\Roaming\KHDScDG.exe, PE32 10->36 dropped 38 C:\Users\user\...\KHDScDG.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp2DBB.tmp, XML 10->40 dropped 42 C:\Users\...\QUOTATION PDF_SCAN_COPY.exe.log, ASCII 10->42 dropped 52 Adds a directory exclusion to Windows Defender 10->52 54 Injects a PE file into a foreign processes 10->54 14 QUOTATION PDF_SCAN_COPY.exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 wlanext.exe 21->27         started        signatures10 56 Self deletion via cmd delete 27->56 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        32 explorer.exe 124 27->32         started        process11 process12 34 conhost.exe 30->34         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.faireez.club/n2t4/ true
  • Avira URL Cloud: safe
 low