Windows Analysis Report
UN-Quotation 70000000187366444_PDF.exe

Overview

General Information

Sample Name:	UN-Quotation 70000000187366444_PDF.exe
Analysis ID:	652379
MD5:	0bfb0ab1e8c7ec929e44d70c196b4d21
SHA1:	89c971ae9a832cdfe2e56e8adfe9972505059c2c
SHA256:	cae7db67ae977f3f41349954ecedd51d0248924012fbcb33610e44ced5f24611
Tags:	Agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: UN-Quotation 70000000187366444_PDF.exe	Virustotal: Detection: 37%			Perma Link
Source: UN-Quotation 70000000187366444_PDF.exe	ReversingLabs: Detection: 19%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XrgnLg.exe

ReversingLabs: Detection: 19%

Machine Learning detection for sample

Source: UN-Quotation 70000000187366444_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XrgnLg.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "giedre@bonsa.lt", "Password": "201Bon@22", "Host": "mail.bonsa.lt"}

Uses 32bit PE files

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49741 -> 193.46.84.142:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49741 -> 193.46.84.142:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 193.46.84.142:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587

Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253180685.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248676313.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248638895.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comH:
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lAnHfH.com
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bonsa.lt
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.HB
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com:
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comQ
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-uFi
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253046638.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.HB
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comue4B
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comv
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260487275.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.259916089.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260274303.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers)8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257348457.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258973602.00000000055C4000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258918421.00000000055C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.267126818.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257743913.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257514571.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257563714.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers48
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257985084.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.295386008.0000000005580000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303672867.0000000005580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commsd
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251459375.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251689579.0000000005585000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/jBu
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn8OX
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.263325743.000000000558C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krfk6
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comY
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krcom
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251850802.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251932047.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comNorm
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net8bX
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netiv
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnn-u
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnue4B
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514197510.000000000313C000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514154750.0000000003129000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oVr11J0CkkX1DVO37.net
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.bonsa.lt

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: UN-Quotation 70000000187366444_PDF.exe
Source: initial sample	Static PE information: Filename: UN-Quotation 70000000187366444_PDF.exe

.NET source code contains very large array initializations

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627

Uses 32bit PE files

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Detected potential crypto function

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6CB24	0_2_00B6CB24
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6EF70	0_2_00B6EF70
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6EF62	0_2_00B6EF62
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D4F380	10_2_02D4F380
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D4F6C8	10_2_02D4F6C8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064537F4	10_2_064537F4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064567D1	10_2_064567D1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064534DC	10_2_064534DC
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06454AF8	10_2_06454AF8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0645B1E0	10_2_0645B1E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064992E8	10_2_064992E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06497040	10_2_06497040
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649BC68	10_2_0649BC68
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064964C8	10_2_064964C8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649ACD6	10_2_0649ACD6
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649C085	10_2_0649C085
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8	10_2_064932A8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B2E8	10_2_0662B2E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066277B8	10_2_066277B8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662F0E8	10_2_0662F0E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06624928	10_2_06624928
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066219B0	10_2_066219B0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B988	10_2_0662B988
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06622AB8	10_2_06622AB8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06627757	10_2_06627757
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06620040	10_2_06620040
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06621159	10_2_06621159
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B924	10_2_0662B924

Sample file is different than original file name gathered from version info

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.295737787.0000000000318000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.294293276.0000000000AF8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.512249842.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe

PE file contains strange resources

Source: UN-Quotation 70000000187366444_PDF.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: XrgnLg.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: UN-Quotation 70000000187366444_PDF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XrgnLg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UN-Quotation 70000000187366444_PDF.exe	Virustotal: Detection: 37%
Source: UN-Quotation 70000000187366444_PDF.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File read: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe"
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Roaming\XrgnLg.exe

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp25F3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/11@1/1

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\CidkzRETsJQhvv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01

Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: XrgnLg.exe.0.dr, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XrgnLg.exe.0.dr, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: XrgnLg.exe.0.dr, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.5.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.3.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.2.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.7.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.9.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.13.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B61C58 push ebx; iretd	0_2_00B61C7A
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D46890 push FFFFFF8Bh; iretd	10_2_02D4689B
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06451518 push eax; retf	10_2_06451521
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649F69B push 8B000003h; iretd	10_2_0649F6A4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8 push es; iretd	10_2_064941D0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8 push es; iretd	10_2_064941E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918F6 push es; ret	10_2_06491910
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918AA push es; ret	10_2_064918C4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918BD push es; ret	10_2_064918C4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06492177 push edi; retn 0000h	10_2_06492179
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06491909 push es; ret	10_2_06491910
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064941D9 push es; iretd	10_2_064941E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064941D1 push es; iretd	10_2_064941D8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066283D8 push 8B05F474h; retn 518Dh	10_2_06628429
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06620040 push es; ret	10_2_06620DC8

Source: initial sample	Static PE information: section name: .text entropy: 7.847857536771399
Source: initial sample	Static PE information: section name: .text entropy: 7.847857536771399

Drops PE files

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Roaming\XrgnLg.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 6248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep count: 7498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852	Thread sleep count: 815 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4760	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800	Thread sleep count: 3332 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800	Thread sleep count: 5748 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5087	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 661	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 815	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Window / User API: threadDelayed 3332	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Window / User API: threadDelayed 5748	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: eZUFMybyZvmCI51dXuO
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Enables debug privileges

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Code function: 10_2_06498F98 LdrInitializeThunk,

10_2_06498F98

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.46.84.142	mail.bonsa.lt	Lithuania		43463	BST-LT	true

Contacted Domains

Name	IP	Active
mail.bonsa.lt	193.46.84.142	true

AV Detection

Multi AV Scanner detection for submitted file

Source: UN-Quotation 70000000187366444_PDF.exe	Virustotal: Detection: 37%			Perma Link
Source: UN-Quotation 70000000187366444_PDF.exe	ReversingLabs: Detection: 19%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XrgnLg.exe

ReversingLabs: Detection: 19%

Machine Learning detection for sample

Source: UN-Quotation 70000000187366444_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XrgnLg.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "giedre@bonsa.lt", "Password": "201Bon@22", "Host": "mail.bonsa.lt"}

Uses 32bit PE files

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49741 -> 193.46.84.142:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49741 -> 193.46.84.142:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 193.46.84.142:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587

Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253180685.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248676313.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248638895.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comH:
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lAnHfH.com
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bonsa.lt
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.HB
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com:
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comQ
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-uFi
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253046638.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.HB
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comue4B
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comv
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260487275.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.259916089.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260274303.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers)8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257348457.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258973602.00000000055C4000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258918421.00000000055C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.267126818.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257743913.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257514571.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257563714.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers48
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC8
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257985084.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.295386008.0000000005580000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303672867.0000000005580000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commsd
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251459375.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251689579.0000000005585000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/jBu
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn8OX
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.263325743.000000000558C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krfk6
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comY
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krcom
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251850802.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251932047.0000000005583000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comNorm
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net8bX
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netiv
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnn-u
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnue4B
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514197510.000000000313C000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514154750.0000000003129000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oVr11J0CkkX1DVO37.net
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.bonsa.lt

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: UN-Quotation 70000000187366444_PDF.exe
Source: initial sample	Static PE information: Filename: UN-Quotation 70000000187366444_PDF.exe

.NET source code contains very large array initializations

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.cs	Large array initialization: .cctor: array initializer size 11627

Uses 32bit PE files

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Detected potential crypto function

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6CB24	0_2_00B6CB24
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6EF70	0_2_00B6EF70
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B6EF62	0_2_00B6EF62
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D4F380	10_2_02D4F380
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D4F6C8	10_2_02D4F6C8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064537F4	10_2_064537F4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064567D1	10_2_064567D1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064534DC	10_2_064534DC
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06454AF8	10_2_06454AF8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0645B1E0	10_2_0645B1E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064992E8	10_2_064992E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06497040	10_2_06497040
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649BC68	10_2_0649BC68
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064964C8	10_2_064964C8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649ACD6	10_2_0649ACD6
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649C085	10_2_0649C085
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8	10_2_064932A8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B2E8	10_2_0662B2E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066277B8	10_2_066277B8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662F0E8	10_2_0662F0E8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06624928	10_2_06624928
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066219B0	10_2_066219B0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B988	10_2_0662B988
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06622AB8	10_2_06622AB8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06627757	10_2_06627757
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06620040	10_2_06620040
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06621159	10_2_06621159
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0662B924	10_2_0662B924

Sample file is different than original file name gathered from version info

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.295737787.0000000000318000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.294293276.0000000000AF8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.512249842.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs UN-Quotation 70000000187366444_PDF.exe
Source: UN-Quotation 70000000187366444_PDF.exe	Binary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe

PE file contains strange resources

Source: UN-Quotation 70000000187366444_PDF.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: XrgnLg.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: UN-Quotation 70000000187366444_PDF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XrgnLg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UN-Quotation 70000000187366444_PDF.exe	Virustotal: Detection: 37%
Source: UN-Quotation 70000000187366444_PDF.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File read: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe"
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Roaming\XrgnLg.exe

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp25F3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/11@1/1

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\CidkzRETsJQhvv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01

Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: XrgnLg.exe.0.dr, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XrgnLg.exe.0.dr, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UN-Quotation 70000000187366444_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: XrgnLg.exe.0.dr, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.5.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.3.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.2.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.7.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.9.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.13.unpack, dP/Cb.cs	.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 0_2_00B61C58 push ebx; iretd	0_2_00B61C7A
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_02D46890 push FFFFFF8Bh; iretd	10_2_02D4689B
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06451518 push eax; retf	10_2_06451521
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_0649F69B push 8B000003h; iretd	10_2_0649F6A4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8 push es; iretd	10_2_064941D0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064932A8 push es; iretd	10_2_064941E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918F6 push es; ret	10_2_06491910
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918AA push es; ret	10_2_064918C4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064918BD push es; ret	10_2_064918C4
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06492177 push edi; retn 0000h	10_2_06492179
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06491909 push es; ret	10_2_06491910
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064941D9 push es; iretd	10_2_064941E0
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_064941D1 push es; iretd	10_2_064941D8
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_066283D8 push 8B05F474h; retn 518Dh	10_2_06628429
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Code function: 10_2_06620040 push es; ret	10_2_06620DC8

Source: initial sample	Static PE information: section name: .text entropy: 7.847857536771399
Source: initial sample	Static PE information: section name: .text entropy: 7.847857536771399

Drops PE files

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

File created: C:\Users\user\AppData\Roaming\XrgnLg.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 6248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep count: 7498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852	Thread sleep count: 815 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4760	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800	Thread sleep count: 3332 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800	Thread sleep count: 5748 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5087	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 661	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 815	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Window / User API: threadDelayed 3332	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Window / User API: threadDelayed 5748	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: eZUFMybyZvmCI51dXuO
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Enables debug privileges

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Code function: 10_2_06498F98 LdrInitializeThunk,

10_2_06498F98

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Process created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

ID:	652379
Product:	CloudBasic
Start time:	09:21:07
Start date:	26.06.2022
Sample:	UN-Quotation 70000000187366444_PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0bfb0ab1e8c7ec929e44d70c196b4d21
SHA1:	89c971ae9a832cdfe2e56e8adfe9972505059c2c
SHA256:	cae7db67ae977f3f41349954ecedd51d0248924012fbcb33610e44ced5f24611
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UN-Quotation 70000000187366444_PDF.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	E86FEA48F78C3AB4F664EDF0608FF92F	D8F7C143950E9E374E82A874363975FEAA1429D1	70547AFAF743047D836C2EDFF9C72715CFB14421B4DFD1228EB69ADB5A0A3FFF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ixxf1ao.tdn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sd30g3rd.ubr.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1pzxb2l.vjd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqujwp3.55e.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp25F3.tmp	XML 1.0 document, ASCII text	2AE384B6BD08DEB19652391B22018E51	F875E428D15D7DEE9B22417379846830BE18CFEE	841042492DDC076CBAC48A79F1CD463FC9870BB4F24941E12A1203CB16A8E57F
C:\Users\user\AppData\Roaming\XrgnLg.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0BFB0AB1E8C7EC929E44D70C196B4D21	89C971AE9A832CDFE2E56E8ADFE9972505059C2C	CAE7DB67AE977F3F41349954ECEDD51D0248924012FBCB33610E44CED5F24611
C:\Users\user\AppData\Roaming\XrgnLg.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220626\PowerShell_transcript.377142.MMcHz80l.20220626092227.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D5B13AAFFF1D8A6E7B1B3A8C47DC4FBD	3E3B7108F50289B81F4CFFA2E7FB8A8A00F99A06	A686F3F41746F652FD0EAACBC43A64CB90CE0D5835B37FE548885D8C33E463E6
C:\Users\user\Documents\20220626\PowerShell_transcript.377142.X4GIrLBG.20220626092225.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3BACB553A7A293802400703686AC82B4	7DBE2D86F2C0B0E7FBEDC6FCB0A374B4EFF987AD	80B8C4A90450CB5BFCC2C3DEF130735A6C502819494E0BE57E5F327B36DFA0BD

Windows Analysis Report
UN-Quotation 70000000187366444_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report UN-Quotation 70000000187366444_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
UN-Quotation 70000000187366444_PDF.exe