Windows Analysis Report
QUOTATION_NOVQTRA071244PDF.scr.exe

AV Detection

Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD@N*]*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

ReversingLabs: Detection: 36%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B96A235h		4_2_00007FFD9B969E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B969C1Bh		4_2_00007FFD9B9699B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B967470h		4_2_00007FFD9B967419
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B96A235h		4_2_00007FFD9B96A151

Networking

Source: global traffic	HTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/ndvzPJWaMUSB HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49781 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49765 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49775 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/ndvzPJWaMUSB HTTP/1.1Host: s24.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/I7fmQg9d/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s24.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/I7fmQg9d/download
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C21000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, 00000004.00000002.2960737490.0000019050B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coH
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CCE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/I7fmQg9d/download
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050DE4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E4D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050EA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050E74000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75p
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C94000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s24.filetransfer.io/storage/download/ndvzPJWaMUSB
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: initial sample

Static PE information: Filename: QUOTATION_NOVQTRA071244PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9B8951D3		0_2_00007FFD9B8951D3
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BAB6452		0_2_00007FFD9BAB6452
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BA94C41		0_2_00007FFD9BA94C41
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BA97C29		0_2_00007FFD9BA97C29
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BA919E1		0_2_00007FFD9BA919E1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BA90060		0_2_00007FFD9BA90060
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BAA4F9D		0_2_00007FFD9BAA4F9D
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BAB56A6		0_2_00007FFD9BAB56A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE2B78		4_2_000001904EEE2B78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE279C		4_2_000001904EEE279C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE3A5C		4_2_000001904EEE3A5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE6254		4_2_000001904EEE6254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE18C0		4_2_000001904EEE18C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000001904EEE2FA8		4_2_000001904EEE2FA8

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000000.1718879374.00000228E4E83000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePzlcy.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2225576342.00000228FF620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQhbnw.dll" vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_NOVQTRA071244PDF.scr.exe
Source: QUOTATION_NOVQTRA071244PDF.scr.exe	Binary or memory string: OriginalFilenamePzlcy.exeH vs QUOTATION_NOVQTRA071244PDF.scr.exe

Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2959415202.000001904EEC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2215561209.00000228E70FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F66000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2961287104.0000019050F75000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_NOVQTRA071244PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E7016000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C31000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6C81000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214866648.0000022880380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2214794114.0000022880110000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2222200198.00000228F6F2C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c81ab0.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6f2cb98.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6c31a78.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880110000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880380000.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.22880090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_NOVQTRA071244PDF.scr.exe.228f6e3e8f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214752450.0000022880090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2222200198.00000228F6D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_NOVQTRA071244PDF.scr.exe PID: 7268, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9B89FA3D pushad ; iretd		0_2_00007FFD9B89FA47
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9B897967 push ebx; retf		0_2_00007FFD9B89796A
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Code function: 0_2_00007FFD9BAA4F9D push edi; retf		0_2_00007FFD9BAA59D6

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE|VIRTUAL|A M I|XEN*SELECT * FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT|VMWARE|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL2Y

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Memory allocated: 228E51C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Memory allocated: 228FEC20000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 19050990000 memory reserve | memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 19068C80000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 596187			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 596078			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595968			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595859			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595747			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595625			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595516			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595406			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595297			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595188			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599234			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598576			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598452			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598333			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598156			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597886			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597765			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597656			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597546			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597437			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597328			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597218			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597109			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596999			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596890			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596671			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596562			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596453			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596343			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596234			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596124			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596015			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595905			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595792			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595653			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595543			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595387			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595172			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594843			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594515			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594406			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594296			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594187			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Window / User API: threadDelayed 7843			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Window / User API: threadDelayed 1986			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1841			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 7993			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep count: 31 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -28592453314249787s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7340	Thread sleep count: 7843 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7336	Thread sleep count: 1986 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99875s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99764s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99656s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99547s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99422s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99313s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99188s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -99073s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98936s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98827s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98615s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98403s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98282s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98141s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -98031s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97922s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97813s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97703s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97594s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97485s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97360s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97235s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -97110s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96985s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96860s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96735s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96610s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96485s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96360s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96235s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -96110s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -95985s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -95780s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -95646s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -95516s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -596187s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -596078s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595968s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595859s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595747s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595625s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595516s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595406s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595297s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595188s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe TID: 7308	Thread sleep time: -595078s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep count: 37 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -34126476536362649s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -600000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7896	Thread sleep count: 1841 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599890s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7896	Thread sleep count: 7993 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599781s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599671s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599562s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599453s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599343s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599234s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599125s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -599015s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598906s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598797s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598687s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598576s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598452s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598333s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -598156s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597886s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597765s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597656s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597546s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597437s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597328s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597218s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -597109s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596999s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596890s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596781s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596671s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596562s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596453s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596343s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596234s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596124s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -596015s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595905s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595792s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595653s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595543s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595387s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595281s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595172s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -595062s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594953s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594843s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594734s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594625s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594515s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594406s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594296s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7892	Thread sleep time: -594187s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99875			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99764			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99656			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99547			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99422			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99313			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99188			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 99073			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98936			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98827			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98615			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98403			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98282			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98141			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 98031			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97922			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97813			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97703			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97594			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97485			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97360			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97235			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 97110			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96985			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96860			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96735			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96610			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96485			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96360			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96235			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 96110			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95985			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95780			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95646			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 95516			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 596187			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 596078			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595968			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595859			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595747			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595625			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595516			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595406			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595297			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595188			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Thread delayed: delay time: 595078			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599234			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598576			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598452			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598333			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598156			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597886			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597765			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597656			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597546			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597437			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597328			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597218			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597109			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596999			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596890			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596781			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596671			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596562			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596453			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596343			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596234			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596124			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596015			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595905			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595792			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595653			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595543			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595387			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595172			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594843			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594515			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594406			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594296			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594187			Jump to behavior

Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft|VMWare|Virtual
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2224780699.00000228FF3E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft|VMWare|Virtual
Source: QUOTATION_NOVQTRA071244PDF.scr.exe, 00000000.00000002.2215561209.00000228E6D71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware|VIRTUAL|A M I|Xen*select * from Win32_ComputerSystem+manufacturer,model-Microsoft|VMWare|Virtual.john/anna0xxxxxxxx
Source: aspnet_compiler.exe, 00000004.00000002.2959731204.000001904F01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Code function: 0_2_00007FFD9BAB1535 CheckRemoteDebuggerPresent,

0_2_00007FFD9BAB1535

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 4EEC0000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 1904EEC0000

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 4.2.aspnet_compiler.exe.19060c900e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19050ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19050ae0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.19060c900e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2961287104.0000019050ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963455838.0000019060C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2960594780.0000019050AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2961287104.0000019050C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7792, type: MEMORYSTR