Windows Analysis Report
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_OCTQTRA071244PDF.scr.exe
Analysis ID:	1543806
MD5:	5ab07a2800291bd5cabc6ccaef82e20b
SHA1:	ba5c41ee66a9e9be480db7f828ba6a63fcc50bc6
SHA256:	6c403516d322330a43a884229831078dfcadf76a81e77061f14b5de698efa071
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "abbsend@qlststv.com", "Password": "G!!HFpD6EwDq*nF", "Host": "gator3220.hostgator.com", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 4x nop then jmp 00007FFD9BA1A02Ch	0_2_00007FFD9BA19CF2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8A9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A9C1Bh	4_2_00007FFD9B8A99A3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A7470h	4_2_00007FFD9B8A7419
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8AA151

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49773 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49801 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49826 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download?exceptionsAllowedBeforeBreakingAValue
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE4F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE7D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188p
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7730000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7723000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io/storage/download/gxyOEP84bSEs
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00A48	0_2_00007FFD9BA00A48
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA15A2D	0_2_00007FFD9BA15A2D
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA086B9	0_2_00007FFD9BA086B9
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00AF0	0_2_00007FFD9BA00AF0
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA02591	0_2_00007FFD9BA02591
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C61904279C	4_2_000002C61904279C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042B78	4_2_000002C619042B78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042FA8	4_2_000002C619042FA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C6190418C0	4_2_000002C6190418C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619046254	4_2_000002C619046254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619043A5C	4_2_000002C619043A5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD9B8A0863	4_2_00007FFD9B8A0863

PE file does not import any functions

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.1691472736.000002C7A580A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameYnkbiiyb.dll" vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Yara signature match

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, PrinterProcessResolver.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, TaskIdentifierItem.cs	Task registration methods: 'RegisterComposer', 'CreateVisitor', 'CreatePrinter'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61B000000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AFF0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61B00E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs

.Net Code: Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777252)),Type.GetTypeFromHandle(iBCq9Uo05mtTNBBh2iI.k8tG5N3Dyp(16777284))})

.NET source code contains potential unpacker

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, MapperAttributeDispatcher.cs	.Net Code: ReflectPage System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7c0000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7cddb88.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2335523965.000002C7C0000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe PID: 3244, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B8048FA push eax; retf		0_2_00007FFD9B804969
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B803D78 push E95D3B67h; ret		0_2_00007FFD9B803D99

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7bfe80000.12.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Q8VjDVpeFtinqeyWmy0'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, OAEVPXA0tqc8rHAo1Rl.cs	High entropy of concatenated method names: 'BYpAJn2vgm', 'eeDA3yIKMu', 'guvA2E3awv', 'G8dAq75Aq0', 'sM7AkuZJaF', 'GThYrMqnQUIQMkG3G6U', 'hqSrYyqBnRukgNDCBYP', 'aibt4vqjIpFOn5TyXVr', 'INIjRHqYuBUBRaaBrln', 'WZ25JdqtJuRQi4qhZ0a'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	High entropy of concatenated method names: 'vEJcxTpyGbTmboIH2RK', 'rri2MLpPqAmuKT4lOTW', 'qYWoo24Yem', 'MhURGLpH3nn1NdRjqXd', 'VsV1bqpFvSEep39P1kS', 'lwCA6TpXbjaTwGG9GlC', 'EpuYF5psDFF5xf79jIC', 'Ncdvy1pMZwuCV8Q2RXm', 'QwL3u4paooMCkvtIPdL', 'tmrf2Qp7UccyrZDuM62'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, lf6lF7b5GuTqgZIR3mQ.cs	High entropy of concatenated method names: 'YB2bUDIoM6', 'e16b9Twsn6', 'a11bvCXBh7', 'HYhbhaieuY', 'SlgbTfjM4T', 'tfpbnADLDQ', 'bddbButwwc', 'hEJbj21Fjd', 'FvhbYCokm8', 'af2btk9EBU'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, QkIaRKoqxk31ed3onh2.cs	High entropy of concatenated method names: 'bgOoHiqSmG', 'AwuoFPDZql', 'c2AoXEKDFJ', 'uoIosrrAI4', 'ld5oMPXIyx', 'rp9oaSuPNy', 'Jtio7KbvEV', 'pCOoZVduDh', 'Y1WoQMGDAa', 'Q7FoN6dfqB'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, beQG8hoz2wDhgID41FI.cs	High entropy of concatenated method names: 'K5qnRfDlFv', 'Bbsn16P8CW', 'mfTnCKgoRF', 'xevnxCe1FM', 'boLnLGYnAP', 'zgenODndsJ', 'nLgn6evdjg', 'hGg9gZ6fOM', 'poqnlDUt7x', 'Vajn0XaO4f'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, dWGF7q4T03KchkMUHdw.cs	High entropy of concatenated method names: 'qMU4Bb748L', 'esk4jgF15T', 'SupKI3wki91klVyIsfE', 'yTIV68wwuWLKyRa1MiB', 'tKQjfZwpcQSuSTOGFxL', 'QDVe0owfjkqEQhhQc1S', 'RBN7GUwrRVHLGiPkEqb', 'zZGoIJw8v5633sJJOaI', 'Tw92mrwyMWWW6gdbxqs', 'OUbDujwPqPZM1ZrHwep'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, WO7efgmLsvk94SLNbM.cs	High entropy of concatenated method names: 'JkMRkVZt2', 'cre1qPNfB', 'RYYxLkQ0K', 'Rg3CGAu4U', 'HjtMm124hlXD85eyo18', 'VYjH9j2Um2v5Uv9a8vu', 'F7Cd4c2otNEPSGaw5d7'

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP]J
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE\|VIRTUAL\|A M I\|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT\|VMWARE\|VIRTUALXJOHNYANNAZXXXXXXXX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7A5A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7BF6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C61AAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C632D20000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 7384	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 2457	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8546	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 7384 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 2457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99176s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98486s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98345s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96710s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95387s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 1305 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597481s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594640s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99176	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98946	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98746	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98486	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98345	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98211	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98080	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97053	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96710	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96061	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95717	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95608	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95496	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95387	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2949573602.000002C6190BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUH
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: QEMUOfD1iR
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware\|VIRTUAL\|A M I\|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft\|VMWare\|VirtualXjohnYannaZxxxxxxxx
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2315387929.000002C7A5AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Enables debug privileges

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 19020000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 2C619020000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	filetransfer.io	European Union		13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Contacted Domains

Name	IP	Active
filetransfer.io	188.114.96.3	true
reallyfreegeoip.org	188.114.96.3	true
s23.filetransfer.io	188.114.96.3	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s23.filetransfer.io/storage/download/gxyOEP84bSEs	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://filetransfer.io/data-package/jI82Ms6K/download	false		unknown
http://filetransfer.io/data-package/jI82Ms6K/download	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.188	false		unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 4x nop then jmp 00007FFD9BA1A02Ch	0_2_00007FFD9BA19CF2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8A9E4D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A9C1Bh	4_2_00007FFD9B8A99A3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8A7470h	4_2_00007FFD9B8A7419
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 00007FFD9B8AA235h	4_2_00007FFD9B8AA151

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49773 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49801 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49787 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49826 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49778 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /storage/download/gxyOEP84bSEs HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/jI82Ms6K/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: s23.filetransfer.io
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/jI82Ms6K/download?exceptionsAllowedBeforeBreakingAValue
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE4F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A76C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7702000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A776D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/jI82Ms6K/download
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AEE7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE7D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AF55000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: aspnet_compiler.exe, 00000004.00000002.2950884480.000002C61AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188p
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7730000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7723000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s23.filetransfer.io/storage/download/gxyOEP84bSEs
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00A48	0_2_00007FFD9BA00A48
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA15A2D	0_2_00007FFD9BA15A2D
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA086B9	0_2_00007FFD9BA086B9
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA00AF0	0_2_00007FFD9BA00AF0
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9BA02591	0_2_00007FFD9BA02591
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C61904279C	4_2_000002C61904279C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042B78	4_2_000002C619042B78
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619042FA8	4_2_000002C619042FA8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C6190418C0	4_2_000002C6190418C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619046254	4_2_000002C619046254
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_000002C619043A5C	4_2_000002C619043A5C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Code function: 4_2_00007FFD9B8A0863	4_2_00007FFD9B8A0863

PE file does not import any functions

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000000.1691472736.000002C7A580A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameYnkbiiyb.dll" vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameEyrjvce.exeH vs QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Yara signature match

Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2328766008.000002C7B801D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2949416019.000002C619020000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2316760953.000002C7A79E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, PrinterProcessResolver.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	Cryptographic APIs: 'CreateDecryptor'

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, TaskIdentifierItem.cs	Task registration methods: 'RegisterComposer', 'CreateVisitor', 'CreatePrinter'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@4/2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7F2E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7FA6000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2336208720.000002C7C02D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2335828598.000002C7C0080000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2328766008.000002C7B7DCB000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs

.NET source code contains potential unpacker

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, MapperAttributeDispatcher.cs	.Net Code: ReflectPage System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7d7bdf8.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7f569a8.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7dcbe30.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7c0000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b7cddb88.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2335523965.000002C7C0000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2328766008.000002C7B7BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe PID: 3244, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B8048FA push eax; retf		0_2_00007FFD9B804969
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Code function: 0_2_00007FFD9B803D78 push E95D3B67h; ret		0_2_00007FFD9B803D99

Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7bfe80000.12.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Q8VjDVpeFtinqeyWmy0'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, OAEVPXA0tqc8rHAo1Rl.cs	High entropy of concatenated method names: 'BYpAJn2vgm', 'eeDA3yIKMu', 'guvA2E3awv', 'G8dAq75Aq0', 'sM7AkuZJaF', 'GThYrMqnQUIQMkG3G6U', 'hqSrYyqBnRukgNDCBYP', 'aibt4vqjIpFOn5TyXVr', 'INIjRHqYuBUBRaaBrln', 'WZ25JdqtJuRQi4qhZ0a'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, JGdQe0bE0VWwd1eUu8a.cs	High entropy of concatenated method names: 'bohbpNYXrw', 'MmG00wkufbeWKI6FiBy', 'BQHeTtkWPeujXbfH88Q', 'CcaZTVqZXA66xdSNsmY', 'TY5t7lqQo4lgLnTCXOg'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, qFHbx242VP7CG5hqXEm.cs	High entropy of concatenated method names: 'vEJcxTpyGbTmboIH2RK', 'rri2MLpPqAmuKT4lOTW', 'qYWoo24Yem', 'MhURGLpH3nn1NdRjqXd', 'VsV1bqpFvSEep39P1kS', 'lwCA6TpXbjaTwGG9GlC', 'EpuYF5psDFF5xf79jIC', 'Ncdvy1pMZwuCV8Q2RXm', 'QwL3u4paooMCkvtIPdL', 'tmrf2Qp7UccyrZDuM62'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, lf6lF7b5GuTqgZIR3mQ.cs	High entropy of concatenated method names: 'YB2bUDIoM6', 'e16b9Twsn6', 'a11bvCXBh7', 'HYhbhaieuY', 'SlgbTfjM4T', 'tfpbnADLDQ', 'bddbButwwc', 'hEJbj21Fjd', 'FvhbYCokm8', 'af2btk9EBU'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, QkIaRKoqxk31ed3onh2.cs	High entropy of concatenated method names: 'bgOoHiqSmG', 'AwuoFPDZql', 'c2AoXEKDFJ', 'uoIosrrAI4', 'ld5oMPXIyx', 'rp9oaSuPNy', 'Jtio7KbvEV', 'pCOoZVduDh', 'Y1WoQMGDAa', 'Q7FoN6dfqB'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, beQG8hoz2wDhgID41FI.cs	High entropy of concatenated method names: 'K5qnRfDlFv', 'Bbsn16P8CW', 'mfTnCKgoRF', 'xevnxCe1FM', 'boLnLGYnAP', 'zgenODndsJ', 'nLgn6evdjg', 'hGg9gZ6fOM', 'poqnlDUt7x', 'Vajn0XaO4f'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, dWGF7q4T03KchkMUHdw.cs	High entropy of concatenated method names: 'qMU4Bb748L', 'esk4jgF15T', 'SupKI3wki91klVyIsfE', 'yTIV68wwuWLKyRa1MiB', 'tKQjfZwpcQSuSTOGFxL', 'QDVe0owfjkqEQhhQc1S', 'RBN7GUwrRVHLGiPkEqb', 'zZGoIJw8v5633sJJOaI', 'Tw92mrwyMWWW6gdbxqs', 'OUbDujwPqPZM1ZrHwep'
Source: 0.2.QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe.2c7b79d6938.7.raw.unpack, WO7efgmLsvk94SLNbM.cs	High entropy of concatenated method names: 'JkMRkVZt2', 'cre1qPNfB', 'RYYxLkQ0K', 'Rg3CGAu4U', 'HjtMm124hlXD85eyo18', 'VYjH9j2Um2v5Uv9a8vu', 'F7Cd4c2otNEPSGaw5d7'

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP]J
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE\|VIRTUAL\|A M I\|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT\|VMWARE\|VIRTUALXJOHNYANNAZXXXXXXXX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7A5A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Memory allocated: 2C7BF6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C61AAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2C632D20000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 7384	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Window / User API: threadDelayed 2457	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 1305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 8546	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 7384 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 3452	Thread sleep count: 2457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -99176s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98486s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98345s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98211s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -98080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -97053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96710s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -96061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95387s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -95063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe TID: 4900	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 1305 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 2080	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597481s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5948	Thread sleep time: -594640s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 99176	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98946	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98746	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98486	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98345	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98211	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 98080	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 97053	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96710	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 96061	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95844	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95717	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95608	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95496	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95387	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95279	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94938	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94813	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: aspnet_compiler.exe, 00000004.00000002.2949573602.000002C6190BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUH
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2334844929.000002C7BFE80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: QEMUOfD1iR
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A78FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A7D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2316760953.000002C7A779B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware\|VIRTUAL\|A M I\|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft\|VMWare\|VirtualXjohnYannaZxxxxxxxx
Source: QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe, 00000000.00000002.2315387929.000002C7A5AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Code function: 0_2_00007FFD9BA166AF rdtsc

0_2_00007FFD9BA166AF

Enables debug privileges

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Thread created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe EIP: 19020000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 2C619020000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c61ab20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aspnet_compiler.exe.2c62ad300e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2950604363.000002C61AB20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AF69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2953399954.000002C62AD29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2950884480.000002C61AD21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6012, type: MEMORYSTR

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1543806
Product:	CloudBasic
Start time:	13:46:05
Start date:	28.10.2024
Sample:	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5ab07a2800291bd5cabc6ccaef82e20b
SHA1:	ba5c41ee66a9e9be480db7f828ba6a63fcc50bc6
SHA256:	6c403516d322330a43a884229831078dfcadf76a81e77061f14b5de698efa071
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Windows Analysis Report QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe

Malware Threat Intel
Provided by