Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION PDF_SCAN_COPY.exe

Overview

General Information

Sample Name:QUOTATION PDF_SCAN_COPY.exe
Analysis ID:563220
MD5:5e9af5b2056e4da639a9459e3b36193c
SHA1:b779402e9a6ecbbef6b68817814991bbcade12df
SHA256:35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • QUOTATION PDF_SCAN_COPY.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" MD5: 5E9AF5B2056E4DA639A9459E3B36193C)
    • powershell.exe (PID: 4128 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 984 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • QUOTATION PDF_SCAN_COPY.exe (PID: 796 cmdline: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe MD5: 5E9AF5B2056E4DA639A9459E3B36193C)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 4100 cmdline: /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5880 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.faireez.club/n2t4/"], "decoy": ["livingthroughthechaos.net", "videobuzzmedia.com", "felineformulas.com", "theorganicbees.com", "bizoeflow.com", "gtbcked.com", "immortalapenft.com", "pacherasrl.com", "defunddrip.black", "fromefarm.com", "newmedicalnetwork.com", "nikosblue.com", "kaecfu.online", "arcane-stylish.com", "7ox.info", "osamaabuzawayed.com", "noemielatour.com", "baccaratjava.com", "latinfoodandwinefestival.com", "magiclandstudios.com", "shazpe.com", "businessmanbazar.com", "lifewithkatiewright.com", "themarketingideascatalog.com", "nickbrizhoops.com", "esportsgamertv.com", "delinointeriores.com", "connotatetechnologies.net", "cybomatic.cloud", "correctmakling.site", "thammydora.com", "ageingwellhomecare.com", "fleetwoodjobshop.site", "jakulo.com", "drbaren.com", "newpointstudio.com", "yxuqamnj.com", "spiritsyncing.net", "hy963app.com", "rnp-trading-lukoil.com", "bowlesuniverse.com", "fumigacionesecouniversal.com", "vulvip.com", "heppi.pro", "preetiplease.com", "gemini-hk.icu", "allyazek24.xyz", "blackbratapparelcompany.com", "immersivenm.com", "mystoragewarehouse.com", "dvjdob.icu", "mecanicadesuelosrancagua.one", "cayugacommunitysolar.com", "parizes.site", "vpsincnas.com", "tattoo-marketplace.online", "garadapatngklgamazon.com", "signa.info", "simplegourmetpa.com", "quintanaroopt.com", "studio-goettingen.com", "brimhi.com", "fabula-glass.com", "1049hubertrd.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 20 entries

          Sigma Overview

          System Summary

          barindex
          Sigma detected: Suspicius Add Task From User AppData Temp
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe, ParentProcessId: 6844, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp, ProcessId: 984
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe, ParentProcessId: 6844, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, ProcessId: 4128
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe" , ParentImage: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe, ParentProcessId: 6844, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe, ProcessId: 4128
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132881008087743040.4128.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.faireez.club/n2t4/"], "decoy": ["livingthroughthechaos.net", "videobuzzmedia.com", "felineformulas.com", "theorganicbees.com", "bizoeflow.com", "gtbcked.com", "immortalapenft.com", "pacherasrl.com", "defunddrip.black", "fromefarm.com", "newmedicalnetwork.com", "nikosblue.com", "kaecfu.online", "arcane-stylish.com", "7ox.info", "osamaabuzawayed.com", "noemielatour.com", "baccaratjava.com", "latinfoodandwinefestival.com", "magiclandstudios.com", "shazpe.com", "businessmanbazar.com", "lifewithkatiewright.com", "themarketingideascatalog.com", "nickbrizhoops.com", "esportsgamertv.com", "delinointeriores.com", "connotatetechnologies.net", "cybomatic.cloud", "correctmakling.site", "thammydora.com", "ageingwellhomecare.com", "fleetwoodjobshop.site", "jakulo.com", "drbaren.com", "newpointstudio.com", "yxuqamnj.com", "spiritsyncing.net", "hy963app.com", "rnp-trading-lukoil.com", "bowlesuniverse.com", "fumigacionesecouniversal.com", "vulvip.com", "heppi.pro", "preetiplease.com", "gemini-hk.icu", "allyazek24.xyz", "blackbratapparelcompany.com", "immersivenm.com", "mystoragewarehouse.com", "dvjdob.icu", "mecanicadesuelosrancagua.one", "cayugacommunitysolar.com", "parizes.site", "vpsincnas.com", "tattoo-marketplace.online", "garadapatngklgamazon.com", "signa.info", "simplegourmetpa.com", "quintanaroopt.com", "studio-goettingen.com", "brimhi.com", "fabula-glass.com", "1049hubertrd.com"]}
          Multi AV Scanner detection for submitted file
          Source: QUOTATION PDF_SCAN_COPY.exeVirustotal: Detection: 42%Perma Link
          Source: QUOTATION PDF_SCAN_COPY.exeMetadefender: Detection: 29%Perma Link
          Source: QUOTATION PDF_SCAN_COPY.exeReversingLabs: Detection: 32%
          Yara detected FormBook
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\KHDScDG.exeMetadefender: Detection: 29%Perma Link
          Source: C:\Users\user\AppData\Roaming\KHDScDG.exeReversingLabs: Detection: 32%
          Machine Learning detection for sample
          Source: QUOTATION PDF_SCAN_COPY.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\KHDScDG.exeJoe Sandbox ML: detected
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: zrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\lzrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, KHDScDG.exe.1.dr
          Source: Binary string: wlanext.pdbGCTL source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.faireez.club/n2t4/
          Source: explorer.exe, 0000001A.00000002.976108228.00000000080F2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.948419680.00000000080F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745478312.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: QUOTATION PDF_SCAN_COPY.exe
          Source: initial sampleStatic PE information: Filename: QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_00774D5B
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_0116E6B0
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_0116C254
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_0116E6A0
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00401030
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041E0E3
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041DABE
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00402D90
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041E640
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00409E50
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041E61E
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041D722
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00402FB0
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_005A4D5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035ADBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359FA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EF900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035BE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FB090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035BDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03506E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E0D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FD5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328E0A1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328E0BA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328E0DB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03272FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328E61E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328E640
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03279E50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03272D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 034EB150 appears 48 times
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A350 NtCreateFile,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A400 NtReadFile,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A480 NtClose,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A34A NtCreateFile,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A484 NtClose,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041A52D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03529520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A350 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A400 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A480 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A34A NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A52D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328A484 NtClose,
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.744721256.00000000007F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.751804560.0000000007290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.837055363.000000000126F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000000.740634191.0000000000626000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.745342764.0000000000F3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838741595.00000000030D2000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exeBinary or memory string: OriginalFilenameRegist.exe> vs QUOTATION PDF_SCAN_COPY.exe
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: KHDScDG.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: QUOTATION PDF_SCAN_COPY.exeVirustotal: Detection: 42%
          Source: QUOTATION PDF_SCAN_COPY.exeMetadefender: Detection: 29%
          Source: QUOTATION PDF_SCAN_COPY.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile read: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe:Zone.IdentifierJump to behavior
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile created: C:\Users\user\AppData\Roaming\KHDScDG.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2DBB.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/8@0/0
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: QUOTATION PDF_SCAN_COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000003.744424237.0000000000E20000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.836130531.00000000010DF000.00000040.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.835752890.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000013.00000002.981500601.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, wlanext.exe, 00000013.00000002.981764982.00000000035DF000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: zrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745031177.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\lzrsmwUxCy\src\obj\Debug\Regist.pdb source: QUOTATION PDF_SCAN_COPY.exe, KHDScDG.exe.1.dr
          Source: Binary string: wlanext.pdbGCTL source: QUOTATION PDF_SCAN_COPY.exe, 0000000B.00000002.838690431.00000000030C0000.00000040.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: QUOTATION PDF_SCAN_COPY.exe, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: KHDScDG.exe.1.dr, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.0.QUOTATION PDF_SCAN_COPY.exe.770000.0.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.2.QUOTATION PDF_SCAN_COPY.exe.770000.0.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.7.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.3.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.2.QUOTATION PDF_SCAN_COPY.exe.5a0000.1.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.5.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.9.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 11.0.QUOTATION PDF_SCAN_COPY.exe.5a0000.1.unpack, LineNumberInfo/FormControl.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_00773F6D push es; ret
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 1_2_00773F43 push es; retn 0000h
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00416971 push 0622FF2Ah; iretd
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041D4F2 push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041D4FB push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041D4A5 push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0041D55C push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_005A3F43 push es; retn 0000h
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_005A3F6D push es; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0353D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328DB3B pushfd ; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03286971 push 0622FF2Ah; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328D55C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328D4A5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328D4FB push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0328D4F2 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.40361532396
          Source: initial sampleStatic PE information: section name: .text entropy: 7.40361532396
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeFile created: C:\Users\user\AppData\Roaming\KHDScDG.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2ae091c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.QUOTATION PDF_SCAN_COPY.exe.2b961c0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTATION PDF_SCAN_COPY.exe PID: 6844, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000003279904 second address: 000000000327990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000003279B6E second address: 0000000003279B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe TID: 6840Thread sleep time: -40434s >= -30000s
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe TID: 6992Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -8301034833169293s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7155
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1220
          Source: C:\Windows\SysWOW64\wlanext.exeAPI coverage: 9.1 %
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread delayed: delay time: 40434
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000D.00000000.822859782.0000000004791000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
          Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000D.00000000.759263988.000000000A897000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001A.00000002.973762856.0000000004514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000D.00000000.753506570.0000000006650000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000D.00000000.757508985.000000000A60E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001A.00000002.973762856.0000000004514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 0000001A.00000002.976202611.0000000008135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}KTOP
          Source: explorer.exe, 0000001A.00000000.948419680.00000000080F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000001A.00000000.946402054.00000000060E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000b
          Source: explorer.exe, 0000000D.00000000.751020546.0000000004710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 0000000D.00000000.760746983.000000000FD2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&d
          Source: explorer.exe, 0000000D.00000000.772627409.000000000A784000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 0000001A.00000002.975771348.0000000007F9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000s
          Source: QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_00409AA0 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03574257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0352927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03503A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03524A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03524A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03504120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03518E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03528EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0359FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03507D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03523D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03563540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03593D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0356A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03598DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0357C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0350746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0351BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_035A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_034F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeCode function: 11_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 8C0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeMemory written: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3424
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeProcess created: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
          Source: explorer.exe, 0000001A.00000000.933779947.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.972145544.00000000004C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GProgman
          Source: explorer.exe, 0000000D.00000000.748886888.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.815138402.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.764707107.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000D.00000000.788437587.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.941915708.0000000004890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973945756.0000000004890000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.941915708.0000000004890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973945756.0000000004890000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000D.00000000.749118501.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.784309872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.818058710.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.765010768.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000D.00000000.757932990.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.772378889.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: explorer.exe, 0000001A.00000000.939303003.0000000004549000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.918656126.000000000455D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.918996216.000000000455D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.973826164.0000000004549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanR
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		512
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory321
          Security Software Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSync112
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 563220 Sample: QUOTATION PDF_SCAN_COPY.exe Startdate: 31/01/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 14 other signatures 2->50 10 QUOTATION PDF_SCAN_COPY.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\Roaming\KHDScDG.exe, PE32 10->36 dropped 38 C:\Users\user\...\KHDScDG.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp2DBB.tmp, XML 10->40 dropped 42 C:\Users\...\QUOTATION PDF_SCAN_COPY.exe.log, ASCII 10->42 dropped 52 Adds a directory exclusion to Windows Defender 10->52 54 Injects a PE file into a foreign processes 10->54 14 QUOTATION PDF_SCAN_COPY.exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 wlanext.exe 21->27         started        signatures10 56 Self deletion via cmd delete 27->56 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        32 explorer.exe 124 27->32         started        process11 process12 34 conhost.exe 30->34         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTATION PDF_SCAN_COPY.exe43%VirustotalBrowse
          QUOTATION PDF_SCAN_COPY.exe29%MetadefenderBrowse
          QUOTATION PDF_SCAN_COPY.exe33%ReversingLabsByteCode-MSIL.Trojan.Woreflint
          QUOTATION PDF_SCAN_COPY.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\KHDScDG.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\KHDScDG.exe29%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\KHDScDG.exe33%ReversingLabsByteCode-MSIL.Trojan.Woreflint

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.0.QUOTATION PDF_SCAN_COPY.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.0.QUOTATION PDF_SCAN_COPY.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.0.QUOTATION PDF_SCAN_COPY.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.QUOTATION PDF_SCAN_COPY.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.faireez.club/n2t4/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.faireez.club/n2t4/true
          • Avira URL Cloud: safe
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745478312.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designersGQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.tiro.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fonts.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, QUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.comQUOTATION PDF_SCAN_COPY.exe, 00000001.00000002.750662294.0000000006BD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:563220
                                Start date:31.01.2022
                                Start time:12:05:21
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 13m 8s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:QUOTATION PDF_SCAN_COPY.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@14/8@0/0
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 24.8% (good quality ratio 22.2%)
                                • Quality average: 70.6%
                                • Quality standard deviation: 32.7%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.5.88, 13.107.42.16, 23.211.5.146, 23.211.6.115, 204.79.197.200, 13.107.21.200
                                • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, config-edge-skype.l-0007.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, www.bing.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, l-0007.config.skype.com, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                12:06:45API Interceptor1x Sleep call for process: QUOTATION PDF_SCAN_COPY.exe modified
                                12:06:51API Interceptor41x Sleep call for process: powershell.exe modified
                                12:08:14API Interceptor63x Sleep call for process: explorer.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION PDF_SCAN_COPY.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):22332
                                Entropy (8bit):5.601661528735134
                                Encrypted:false
                                SSDEEP:384:vtCDXbqBT0BQ+KSBKncjultIK77Y9gBSJ3x6T1MaDZlbAV7/ApsSZBDI+5zg:TBABw4KcCltlfBc4CifwjUV8
                                MD5:147498DB6C549710962BB6C1304E855E
                                SHA1:7E5441D88801C466BC4A037E50D47D499BBA4EC9
                                SHA-256:858A4B512D4D9DF5E6A33FC26E8252C55BD267AF3BD56CE0781F3DBE4A773767
                                SHA-512:03C9D68D58506BFC635BF56AA3A9636E659F351D677A6304D1E4A3FD453010BC8FE66930028C9AE0CA523D6AADAAC19A5E2D51CFEAA273FD10251813E98EDF6F
                                Malicious:false
                                Preview:@...e...................h.a...........n...I..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0flfqeem.c1z.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview:1

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0feqvz4.jvk.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview:1

                                C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp

                                Download File
                                Process:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1594
                                Entropy (8bit):5.138464141834504
                                Encrypted:false
                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaFxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTUv
                                MD5:AA21016D90C92A78024FA66167B4D7BE
                                SHA1:97BF86E124F859760C7F463BEBF1A3E4FDDBE7D2
                                SHA-256:4F335E7DCD45F9C9295CA77E3071616BB592079059D0B0C93B474A20418C25BE
                                SHA-512:8D7D7A4E5924B556044CAE4035758912071A9D9229B4FB8914BA246EFAC1B33F0F88296FFEEC335F3053A14AB0DF9BD6650D0353487B9D01B1E25D31B1B69517
                                Malicious:true
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                C:\Users\user\AppData\Roaming\KHDScDG.exe

                                Download File
                                Process:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):535552
                                Entropy (8bit):7.39580217020087
                                Encrypted:false
                                SSDEEP:12288:KcqT+JVO7JUQ1h1038w3pym2sdklRwCk3:KcqcVOV3h103s0waH
                                MD5:5E9AF5B2056E4DA639A9459E3B36193C
                                SHA1:B779402E9A6ECBBEF6B68817814991BBCADE12DF
                                SHA-256:35147128936C2E79548E5C0A2BBD70CD5A29C1B01DFA1AC2515FA5BECB7EFA6D
                                SHA-512:4F293BAB428AEEAD9C4B0A411A9D0674BEBD87CF89D92F2AA0B1FFC4D287D96B859365453F21040ABC7B5DD4F452F52ED98661B8C16624D9915D4C40ECFE15EA
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: Metadefender, Detection: 29%, Browse
                                • Antivirus: ReversingLabs, Detection: 33%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.a..............0.."..........2A... ...`....@.. ....................................@..................................@..O....`...............................?............................................... ............... ..H............text...8!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B.................A......H...........,|...............0............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(........(.......(.......(........(........(........(.....*..0...........r...p...(....r...p(.......(....r...p(......r...p(.......(....o.....+...(........o....r...p(........(....-...........o.......r'..p(.......(....o.....+V..(.........>...%...%.rE..p.%...o..............o ....%.rQ..p.%...o.....%.r...p.(!

                                C:\Users\user\AppData\Roaming\KHDScDG.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\Documents\20220131\PowerShell_transcript.320946.ooSQevcZ.20220131120650.txt

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5777
                                Entropy (8bit):5.396346341966378
                                Encrypted:false
                                SSDEEP:96:BZqjONEUqDo1Z0TZBjONEUqDo1ZsqcSjZ4AjONEUqDo1ZNPCC8ZX:4XZGf
                                MD5:05E8711C62306DB9A0825BBF92E3E028
                                SHA1:791C41350092092FA293623F35C70CD0B97EEC59
                                SHA-256:206403375AA38891911139183B7C118D025435E764A968E8114BA90646B34E9C
                                SHA-512:4BCBA560C830AB19A6E6E78D0AFFD0AE28EFBE2006421824FD27A2EBA774DA5B3F634875C0A94BBEA4D19EF26C6DD93318A2062C2DB25554B800C80301A7D3CA
                                Malicious:false
                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220131120651..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\KHDScDG.exe..Process ID: 4128..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220131120651..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\KHDScDG.exe..**********************..Windows PowerShell transcript start..Start time: 20220131121105..Username: computer\user..RunAs User: computer\user..Con

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.39580217020087
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:QUOTATION PDF_SCAN_COPY.exe
                                File size:535552
                                MD5:5e9af5b2056e4da639a9459e3b36193c
                                SHA1:b779402e9a6ecbbef6b68817814991bbcade12df
                                SHA256:35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d
                                SHA512:4f293bab428aeead9c4b0a411a9d0674bebd87cf89d92f2aa0b1ffc4d287d96b859365453f21040abc7b5dd4f452f52ed98661b8c16624d9915d4c40ecfe15ea
                                SSDEEP:12288:KcqT+JVO7JUQ1h1038w3pym2sdklRwCk3:KcqcVOV3h103s0waH
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.a..............0.."..........2A... ...`....@.. ....................................@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x484132
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x61F77617 [Mon Jan 31 05:39:35 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x840e00x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x5e4.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x83fa80x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x821380x82200False0.755804965178data7.40361532396IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x860000x5e40x600False0.435546875data4.17670383408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x860900x352data
                                RT_MANIFEST0x863f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyright2010 Honda Fit
                                Assembly Version12.1.9.0
                                InternalNameRegist.exe
                                FileVersion12.0.0.0
                                CompanyNameHonda
                                LegalTrademarks
                                CommentsBorders Books
                                ProductNameLineNumberInfo
                                ProductVersion12.0.0.0
                                FileDescriptionLineNumberInfo
                                OriginalFilenameRegist.exe

                                Network Behavior

                                No network behavior found

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:1
                                Start time:12:06:19
                                Start date:31/01/2022
                                Path:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
                                Imagebase:0x770000
                                File size:535552 bytes
                                MD5 hash:5E9AF5B2056E4DA639A9459E3B36193C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.748414866.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.746575972.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.745531520.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Target ID:7
                                Start time:12:06:48
                                Start date:31/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KHDScDG.exe
                                Imagebase:0x1360000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                General

                                Target ID:8
                                Start time:12:06:49
                                Start date:31/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6eb840000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:9
                                Start time:12:06:49
                                Start date:31/01/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KHDScDG" /XML "C:\Users\user\AppData\Local\Temp\tmp2DBB.tmp
                                Imagebase:0x10a0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:10
                                Start time:12:06:50
                                Start date:31/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:11
                                Start time:12:06:51
                                Start date:31/01/2022
                                Path:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe
                                Imagebase:0x5a0000
                                File size:535552 bytes
                                MD5 hash:5E9AF5B2056E4DA639A9459E3B36193C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.741535276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.835174756.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.741938582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.834375246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.834839904.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Target ID:13
                                Start time:12:06:56
                                Start date:31/01/2022
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff6fee60000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.775484148.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.794471211.000000000DADA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                General

                                Target ID:19
                                Start time:12:07:33
                                Start date:31/01/2022
                                Path:C:\Windows\SysWOW64\wlanext.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\wlanext.exe
                                Imagebase:0x8c0000
                                File size:78848 bytes
                                MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.981277393.0000000003270000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.980171637.0000000000950000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.980875419.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                General

                                Target ID:21
                                Start time:12:07:38
                                Start date:31/01/2022
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\Desktop\QUOTATION PDF_SCAN_COPY.exe"
                                Imagebase:0x11d0000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:22
                                Start time:12:07:39
                                Start date:31/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:26
                                Start time:12:08:12
                                Start date:31/01/2022
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                                Imagebase:0x7ff6fee60000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                No disassembly