Windows Analysis Report
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Analysis ID:	1525547
MD5:	2841a5211dd5eee5bcc3c3048b5d00da
SHA1:	a3de07870057a11804c108ca3848b7cf28adbf6b
SHA256:	94226064206b06a63579726747ae6900e6b6335b03b4bb00baf6f9cb0cbb1318
Tags:	exescruser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rep3send@aoqiinflatables.com", "Password": "Zg^!Zy[?IKrs99@soltan", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	ReversingLabs: Detection: 13%
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49714 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.2

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BDA235h	5_2_00007FF887BD9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BD9C1Bh	5_2_00007FF887BD99B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FF887BDA235h	5_2_00007FF887BDA151

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/LuTcDMs7R8e5 HTTP/1.1Host: s20.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49716 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49723 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49717 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49721 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/LuTcDMs7R8e5 HTTP/1.1Host: s20.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /data-package/MlZtCPkK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s20.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/MlZtCPkK/download
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00132000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D5A1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/MlZtCPkK/download
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001CA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00238000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00226000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001F1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00161000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001DE000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE001B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: aspnet_compiler.exe, 00000005.00000002.2654091935.000001AE00113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D64B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s20.filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D64B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49709 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887AF1368	0_2_00007FF887AF1368
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887B0E180	0_2_00007FF887B0E180
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD0280	0_2_00007FF887CD0280
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD01FD	0_2_00007FF887CD01FD
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD13E0	0_2_00007FF887CD13E0
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD12F4	0_2_00007FF887CD12F4
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD0210	0_2_00007FF887CD0210
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887CD11D1	0_2_00007FF887CD11D1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C2B9C	5_2_000001AE692C2B9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C2F78	5_2_000001AE692C2F78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C3E5C	5_2_000001AE692C3E5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C6654	5_2_000001AE692C6654
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C33A8	5_2_000001AE692C33A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_000001AE692C1CC0	5_2_000001AE692C1CC0

PE file does not import any functions

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1934310097.0000017A26290000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTmmvyvqzioy.dll" vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000000.1408011353.0000017A0B81C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZflljac.exe: vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D92A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1933620032.0000017A260A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTmmvyvqzioy.dll" vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1930706424.0000017A1D7B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922078507.0000017A0BDC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameZflljac.exe: vs QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Yara signature match

Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2656855245.000001AE692A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1922304917.0000017A0D856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs

Base64 encoded string: 'jjJdFB838xlLBhY/vj9HDxR0nDhdBRc4sTIVJx8umCVaEgMbrjhLDRg2pHBJBQ4Fmz5CDDQ7sC4VDwoFlCVLEQ87sSJaGUE9uD9xLB80uj9GWz0/qR9XEB8cryRDKBs0uSdLWx0/qRRgARc/5gJABB8iki0VMh87uRhaEhM0unBvBB5hui5aPyo1riJaCRU05ixLFCUZqDlcBRQumSRDARM05hhLFD47qSoVUkhj6nkVIQkpuCZMDAMJuDlYBQhhjiJDEBY/nDhdBRc4sTJrGAo2sjlLEkE4vClLDAw35jhDDxE/qS5dFA=='

Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs	.Net Code: _E000 System.AppDomain.Load(byte[])
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a0bdc0000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26290000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a26210000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d63fc80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00faPDF.scr.exe.17a1d5c9648.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1934071386.0000017A26210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1930706424.0000017A1D5C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe PID: 7264, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887B0091A push dword ptr [esi-17000000h]; ret	0_2_00007FF887B00923
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887AFF90E push dword ptr [eax-16FFFFFFh]; iretd	0_2_00007FF887AFF917
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C306BD push es; ret	0_2_00007FF887C30712
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30673 push es; ret	0_2_00007FF887C3067A
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30E63 push cs; ret	0_2_00007FF887C30E6A
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C335B5 push eax; ret	0_2_00007FF887C33609
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FF887C30D69 push cs; ret	0_2_00007FF887C30DCA

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSIDICMDJSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREKVERSIONLSERIALNUMBERNVMWARE\|VIRTUAL\|A M I\|XENOSELECT * FROM WIN32_COMPUTERSYSTEMPMANUFACTURERQMODELRMICROSOFT\|VMWARE\|VIRTUALSJOHNTANNAUXXXXXXXX

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Memory allocated: 17A0BB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Memory allocated: 17A255A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1AE6AD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1AE6AEF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599714	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599356	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 599084	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 598071	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596853	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596727	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595442	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593809	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 593636	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594516	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 2229	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 7553	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1631	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8222	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7388	Thread sleep count: 2229 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7388	Thread sleep count: 7553 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599714s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -599084s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -598071s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -593809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe TID: 7384	Thread sleep time: -593636s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7956	Thread sleep count: 1631 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7956	Thread sleep count: 8222 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 7952	Thread sleep time: -594516s >= -30000s	Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1922304917.0000017A0D6A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerESbieDll.dllFcuckoomon.dllGwin32_process.handle='{0}'HParentProcessIdIcmdJselect * from Win32_BIOS8Unexpected WMI query failureKversionLSerialNumberNVMware\|VIRTUAL\|A M I\|XenOselect * from Win32_ComputerSystemPmanufacturerQmodelRMicrosoft\|VMWare\|VirtualSjohnTannaUxxxxxxxx
Source: QUOTATION_OCTQTRA071244#U00faPDF.scr.exe, 00000000.00000002.1921577651.0000017A0BAA7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2657199688.000001AE694DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00faPDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae100100e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.1ae6ada0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE0024B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2658156720.000001AE6ADA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2656248989.000001AE10009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2654091935.000001AE00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7848, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	filetransfer.io	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

Name	Malicious	Antivirus Detection	Reputation
http://filetransfer.io/data-package/MlZtCPkK/download	false	1%, Virustotal, Browse	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://filetransfer.io/data-package/MlZtCPkK/download	false	1%, Virustotal, Browse	unknown
https://s20.filetransfer.io/storage/download/LuTcDMs7R8e5	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

ID:	1525547
Product:	CloudBasic
Start time:	11:22:27
Start date:	04.10.2024
Sample:	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2841a5211dd5eee5bcc3c3048b5d00da
SHA1:	a3de07870057a11804c108ca3848b7cf28adbf6b
SHA256:	94226064206b06a63579726747ae6900e6b6335b03b4bb00baf6f9cb0cbb1318
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Windows Analysis Report QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00faPDF.scr.exe

Malware Threat Intel
Provided by