Windows Analysis Report
QUOTATION_JULQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name: QUOTATION_JULQTRA071244#U00faPDF.scr.exe
renamed because original name is a hash value
Original sample name: QUOTATION_JULQTRA071244PDF.scr.exe
Analysis ID: 1465905
MD5: 2756768c9b94948e6ac6877fd26178e3
SHA1: 30f772fdfdb5a1567d37c9a998f82939d60b6667
SHA256: b75793ac0d57482cfb4abf41303bc240bb13a089b4b048c0d5ff36f3a19cdc7a
Tags: exeFormbookscr
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 10.2.aspnet_compiler.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zam8@qlststv.com", "Password": "2htWJg8Ru9SP..!TZmaka!@"}
Multi AV Scanner detection for submitted file
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 4x nop then jmp 028759CFh 0_2_02875AE7
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 4x nop then jmp 028759CFh 0_2_0287595B
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 4x nop then jmp 028759CFh 0_2_02875968

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /storage/download/vrZBY6VkA2Ae HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /storage/download/vrZBY6VkA2Ae HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /data-package/mJcm5Gfa/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: filetransfer.io
Source: global traffic DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe String found in binary or memory: http://filetransfer.io/data-package/mJcm5Gfa/download
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002E81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://filetransfer.io/data-package/mJcm5Gfa/download
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://filetransfer.iovi
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0287AB40 0_2_0287AB40
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0287C8E8 0_2_0287C8E8
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_028734F0 0_2_028734F0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02873DC0 0_2_02873DC0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_028792F0 0_2_028792F0
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02879208 0_2_02879208
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02879248 0_2_02879248
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02879267 0_2_02879267
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0287AB31 0_2_0287AB31
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0287C8D7 0_2_0287C8D7
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0287595B 0_2_0287595B
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02875968 0_2_02875968
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02874705 0_2_02874705
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02872DA8 0_2_02872DA8
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_05CC0040 0_2_05CC0040
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_05CC0039 0_2_05CC0039
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_05CC03CA 0_2_05CC03CA
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0844D750 0_2_0844D750
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_08430040 0_2_08430040
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_08430006 0_2_08430006
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_0844CB28 0_2_0844CB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_02CEA5AA 10_2_02CEA5AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_02CE4AC0 10_2_02CE4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_02CEDA68 10_2_02CEDA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_02CE3EA8 10_2_02CE3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_02CE41F0 10_2_02CE41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D2188 10_2_065D2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D13E0 10_2_065D13E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D8628 10_2_065D8628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D8622 10_2_065D8622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D3248 10_2_065D3248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 10_2_065D3930 10_2_065D3930
Sample file is different than original file name gathered from version info
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002B45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename39b65d59-f6bc-48b5-8d23-a6d96b36d336.exe4 vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000000.1246002493.0000000000655000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKuulogkewv.exe> vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGyokxqciy.dll" vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGyokxqciy.dll" vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1746499640.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Binary or memory string: OriginalFilenameKuulogkewv.exe> vs QUOTATION_JULQTRA071244#U00faPDF.scr.exe
Uses 32bit PE files
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_JULQTRA071244#U00faPDF.scr.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Mutant created: NULL
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1762618379.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1771032967.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c7c360.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7aa0000.17.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3c2c340.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.67c3d90.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.27e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.679bd70.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3a89550.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.6813db0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1747718768.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003A88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1747373203.00000000027E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1763963999.00000000065E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_02876B1B push 1CB8C3AFh; retf 0_2_02876B21
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000003015000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLT-
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000003015000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORER;SBIEDLL.DLL<SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORER;SBIEDLL.DLL<SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE=VERSION>SERIALNUMBER@VMWARE|VIRTUAL|A M I|XENASELECT * FROM WIN32_COMPUTERSYSTEMBMANUFACTURERCMODELDMICROSOFT|VMWARE|VIRTUALEJOHNFANNAGXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: 2A80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: 63C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: 73C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Memory allocated: 14F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Memory allocated: 2E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Memory allocated: 4E80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798981 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798637 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797639 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797414 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794516 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Window / User API: threadDelayed 7439 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Window / User API: threadDelayed 2368 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 1651 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 8199 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7848 Thread sleep count: 7439 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7848 Thread sleep count: 2368 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99753s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99400s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -99031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98771s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98370s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97680s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -97124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96997s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96279s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96170s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -96046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95276s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95170s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -95046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -94390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe TID: 7820 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1800000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1708 Thread sleep count: 1651 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1708 Thread sleep count: 8199 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1799109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798981s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798637s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1798078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797639s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797414s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1797078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1796078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1795078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1794968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1794859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1794750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1794641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1704 Thread sleep time: -1794516s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99753 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99624 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99400 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99281 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99171 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 99031 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98921 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98771 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98370 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98139 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97921 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97680 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97561 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97452 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97343 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97234 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 97124 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96997 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96874 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96765 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96653 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96531 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96421 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96279 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96170 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 96046 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95828 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95718 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95499 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95390 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95276 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95170 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 95046 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94937 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94828 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94718 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94609 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94499 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 94390 Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1799109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798981 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798637 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1798078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797639 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797414 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1797078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1796078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1795078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1794516 Jump to behavior
Source: aspnet_compiler.exe, 0000000A.00000002.2503660186.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V?q
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q0VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xent-
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q0Microsoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: aspnet_compiler.exe, 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual@\
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer;SbieDll.dll<select * from Win32_BIOS8Unexpected WMI query failure=version>SerialNumber@VMware|VIRTUAL|A M I|XenAselect * from Win32_ComputerSystemBmanufacturerCmodelDMicrosoft|VMWare|VirtualEjohnFannaGxxxxxxxx
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1747718768.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR
Source: QUOTATION_JULQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1746499640.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000A.00000002.2501339812.000000000130E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Code function: 0_2_028709F8 CheckRemoteDebuggerPresent, 0_2_028709F8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Queries volume information: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00faPDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2503660186.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1747718768.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2500277935.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTATION_JULQTRA071244#U00faPDF.scr.exe PID: 7752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 8012, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.4774240.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.454d018.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.7510000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTATION_JULQTRA071244#U00faPDF.scr.exe.3d07e98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1765846421.0000000007510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.00000000046F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1751396085.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465905 Sample: QUOTATION_JULQTRA071244#U00... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 18 ip-api.com 2->18 20 s23.filetransfer.io 2->20 22 filetransfer.io 2->22 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 10 other signatures 2->34 7 QUOTATION_JULQTRA071244#U00faPDF.scr.exe 15 3 2->7         started        signatures3 process4 dnsIp5 24 s23.filetransfer.io 188.114.97.3, 443, 49707, 49708 CLOUDFLARENETUS European Union 7->24 16 QUOTATION_JULQTRA0...00faPDF.scr.exe.log, ASCII 7->16 dropped 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->36 38 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->38 12 aspnet_compiler.exe 14 2 7->12         started        file6 signatures7 process8 dnsIp9 26 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 12->26 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->42 44 Tries to steal Mail credentials (via file / registry access) 12->44 46 3 other signatures 12->46 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
188.114.97.3
 filetransfer.io European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
filetransfer.io 188.114.97.3 true
ip-api.com 208.95.112.1 true
s23.filetransfer.io 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://filetransfer.io/data-package/mJcm5Gfa/download false
  • Avira URL Cloud: safe
 unknown
http://filetransfer.io/data-package/mJcm5Gfa/download false
  • Avira URL Cloud: safe
 unknown
https://s23.filetransfer.io/storage/download/vrZBY6VkA2Ae false
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown