Edit tour

Windows Analysis Report
QUOTATION_FEBQUOTE312025PDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_FEBQUOTE312025PDF.scr.exe
Analysis ID:	1636408
MD5:	6126dfbcef916c031c1b9c9906dbfa69
SHA1:	3d7cf8fb4c7832bc917d43c9551907b8633da776
SHA256:	7bcb379b68f81b941856cd711980a14a8e3ae8954c1328342185d77511617e50
Tags:	exeMassLoggerscruser-abuse_ch
Infos:

Detection

MSIL Logger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

QUOTATION_FEBQUOTE312025PDF.scr.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe" MD5: 6126DFBCEF916C031C1B9C9906DBFA69)

RegAsm.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1733436944.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1730533843.00000000039DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2475864432.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1730533843.00000000038EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.2478463480.0000000002D50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegAsm.exe PID: 7564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7564	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegAsm.exe PID: 7564	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.52f0000.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.52f0000.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:42:40.734395+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49725	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	Virustotal: Detection: 26%			Perma Link
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000037B5000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.0000000003761000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1734111812.0000000005B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000037B5000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.0000000003761000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1734111812.0000000005B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0531475Bh		8_2_05314102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0655F64Fh		8_2_0655EF78

Source: global traffic	TCP traffic: 192.168.2.4:63283 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.4:50263 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	String found in binary or memory: http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_FEBQUOTE312025PDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A364D8 NtResumeThread,		0_2_05A364D8
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A364D0 NtResumeThread,		0_2_05A364D0

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_00B4EC90	0_2_00B4EC90
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_00B4A7F7	0_2_00B4A7F7
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_00B4A7F8	0_2_00B4A7F8
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_00B4B188	0_2_00B4B188
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A1F590	0_2_05A1F590
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A1F870	0_2_05A1F870
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A1E530	0_2_05A1E530
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A0003B	0_2_05A0003B
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A00040	0_2_05A00040
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A1E040	0_2_05A1E040
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A30040	0_2_05A30040
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A30007	0_2_05A30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A41E0	8_2_011A41E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A3528	8_2_011A3528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011AD9F6	8_2_011AD9F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A41D0	8_2_011A41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A9759	8_2_011A9759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A9768	8_2_011A9768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A465B	8_2_011A465B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A4668	8_2_011A4668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011AD938	8_2_011AD938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011AD928	8_2_011AD928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A3F1B	8_2_011A3F1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A3F28	8_2_011A3F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0531E2B0	8_2_0531E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05317350	8_2_05317350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0531CFF8	8_2_0531CFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05313E24	8_2_05313E24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_053179F8	8_2_053179F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_053179EA	8_2_053179EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_064734B0	8_2_064734B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06474210	8_2_06474210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06476730	8_2_06476730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647C530	8_2_0647C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647BA00	8_2_0647BA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_065257C8	8_2_065257C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06527060	8_2_06527060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0652DC50	8_2_0652DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06553F1F	8_2_06553F1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06553F20	8_2_06553F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06559390	8_2_06559390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0655539D	8_2_0655539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06550040	8_2_06550040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0655001D	8_2_0655001D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06558560	8_2_06558560

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000037B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.0000000003761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000000.1227812114.0000000000102000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYepvtzyf.exe> vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1722959147.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1731834870.0000000004D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEdapqkcvjxv.dll" vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000038EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1734111812.0000000005B50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs QUOTATION_FEBQUOTE312025PDF.scr.exe
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	Binary or memory string: OriginalFilenameYepvtzyf.exe> vs QUOTATION_FEBQUOTE312025PDF.scr.exe

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, VisibleSummarizer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, YbOkxJkkuyrEvGpZRxB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, v8f3sEAiXMIndiAwxA.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, J6ZmsiiOv9lL9au1RsD.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, J6ZmsiiOv9lL9au1RsD.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@4/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.2478463480.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	Virustotal: Detection: 26%
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe	ReversingLabs: Detection: 50%

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

String found in binary or memory: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD></HEAD><BODY>{0}</BODY></HTML>

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe "C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static file information: File size 2265088 > 1048576

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x227400

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000037B5000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.0000000003761000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1734111812.0000000005B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.00000000037B5000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1730533843.0000000003761000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1734111812.0000000005B50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, J6ZmsiiOv9lL9au1RsD.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, SelectorEvaluator.cs	.Net Code: UndoAccessibleSelector System.AppDomain.Load(byte[])
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3765570.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.37b5590.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.5b50000.8.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.52f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.52f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1733436944.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_00B43220 push eax; retf	0_2_00B4322A
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A06DA4 push ds; ret	0_2_05A06DA7
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A027A6 pushad ; retf	0_2_05A027A8
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A02E17 pushad ; retf	0_2_05A02E19
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A0108D pushad ; retf	0_2_05A0108F
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A070FB push edi; ret	0_2_05A07106
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A038C5 pushad ; retf	0_2_05A038CB
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A048D8 pushad ; retf	0_2_05A048DA
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Code function: 0_2_05A04BA9 pushad ; retf	0_2_05A04BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A83A6 push edi; ret	8_2_011A83A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A778B push eax; iretd	8_2_011A77B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A1674 push esp; ret	8_2_011A1675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A0C5E push esp; ret	8_2_011A0C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A1CCE push esp; ret	8_2_011A1CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_011A1F51 push esp; ret	8_2_011A1F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647CE5C push es; retf	8_2_0647CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647872A push es; ret	8_2_0647872C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06471D09 push es; retf	8_2_06471D3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06470D14 push eax; retf	8_2_06470D16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06479B30 push es; ret	8_2_06479B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647B96C push es; retf	8_2_0647B9A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0647B9AD push es; ret	8_2_0647B9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_065210C0 push es; iretd	8_2_065210CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0652BA72 push es; ret	8_2_0652BA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_065208D2 push es; ret	8_2_065208C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_065208B0 push es; ret	8_2_065208C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06557E7E push esi; ret	8_2_06557E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06557AB6 push es; ret	8_2_06557AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06550006 push es; iretd	8_2_0655001C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06553CBE push es; retf	8_2_06553CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06553D9E push es; ret	8_2_06553DA0

Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, YbOkxJkkuyrEvGpZRxB.cs	High entropy of concatenated method names: 'mCQ6KMUjYr', 'wtG6kXePJ2', 'r5A6N5xxMK', 'BF66s6iow9', 'dKY6F5m4Gy', 'lpW6HqP0Ep', 'c0nLJsFIhmtKWnrmfRm', 'Tkv7mZFVmkSCgsJwx15', 'jP1kMGgH5w', 'kulkibIKTL'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, v8f3sEAiXMIndiAwxA.cs	High entropy of concatenated method names: 'JQFKlfqBZ4', 'TnHK561v3T', 'aDH01VFTTbKusDw5mZg', 'yqTRUpFZBPoZXe2cJpI', 'a8gKaGXJNL', 'KTPKOsEjXm', 'h0fKLfRjc7', 'SSwK1RC8Ib', 'M5MKveiNN7', 'YsPKVbe9XQ'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, RNPoHHZfZ4GBIKwk9N.cs	High entropy of concatenated method names: 'KEl9Rk5cY', 'u2mLBcpbk', 'Equals', 'GetHashCode', 'Nyd77sDV0', 'ToString', 'cwlwMF2xfjh1CGaq8xv', 'WEd5m72b7sBaBR0VWLy', 'Equals', 'GetHashCode'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, J6ZmsiiOv9lL9au1RsD.cs	High entropy of concatenated method names: 'Wth73nHVMa5sADcZHQ2', 'Lffoa7HmFPDwCygdZQE', 'hrFsMvBK3P', 'vh0ry9Sq2v', 'rleshxDwlj', 'XimsGa4Xgq', 'my4sThPAaP', 'sYPsZnZ7Tw', 'VI0hjnOZOq', 'U67iCPKWWG'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, MozilSpeed.cs	High entropy of concatenated method names: 'CvI6AeNVRf', 'YOh64VemIN', 'mJy6nO9dZv', 'rj66rJW9WZ', 'c386zSxFLG', 'W99Mp3ev6T', 'OdSDLmH2Q5f1Ux9WlY8', 'wbRaBpHFhHe9oYq8IQW', 'oQRMN1w14M', 'mXgMsKlOed'
Source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, NuSFFTsuKcAuqQw8oNh.cs	High entropy of concatenated method names: 'PK6sU4blxy', 'suJs1y5bNp', 'arBsviQZ2y', 'u5MsIJfJAG', 'pHusVh6nsh', 'idRsmla7mS', 'TtpsdoJZxv', 'NbZsqACico', 'a0Xsj1M3pC', 'zjnscu5465'

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 11A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594612	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1588			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8237			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe TID: 7868	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe TID: 7868	Thread sleep time: -52947s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 424	Thread sleep count: 1588 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 424	Thread sleep count: 8237 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594612s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7924	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594612	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: jetgS3wHgFSpecified
Source: QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: RegAsm.exe, 00000008.00000002.2476677634.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0531E2B0 LdrInitializeThunk,

8_2_0531E2B0

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AD8008	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730533843.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2475864432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1730533843.00000000038EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000008.00000002.2478463480.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION_FEBQUOTE312025PDF.scr.exe.3956e98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730533843.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2475864432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1730533843.00000000038EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025PDF.scr.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_FEBQUOTE312025PDF.scr.exe	26%	Virustotal		Browse
QUOTATION_FEBQUOTE312025PDF.scr.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
QUOTATION_FEBQUOTE312025PDF.scr.exe	100%	Avira	TR/Dropper.MSIL.hammw

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-neti	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1733656276.0000000005370000.00000004.08000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000008.00000002.2478463480.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView	QUOTATION_FEBQUOTE312025PDF.scr.exe	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000008.00000002.2478463480.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_FEBQUOTE312025PDF.scr.exe, 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegAsm.exe, 00000008.00000002.2478463480.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636408
Start date and time:	2025-03-12 18:40:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_FEBQUOTE312025PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 119 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:42:21	API Interceptor	23x Sleep call for process: QUOTATION_FEBQUOTE312025PDF.scr.exe modified
13:42:47	API Interceptor	20162x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
193.122.6.168	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SIP_20252701095738583757327401213.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4kobC6KGC3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	p7wgyD3kbI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	hcy2SdW2z6.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C7fclY8IiM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	oybsEA5EhR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQ. NO.237.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	cbr.m68k.elf	Get hash	malicious	Mirai	Browse	144.25.156.103
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	http://account.hrblock.com	Get hash	malicious	Unknown	Browse	130.61.120.2
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	QUOTATION_FEBQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	193.122.130.0
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
CLOUDFLARENETUS	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.68.120
	aXeuKjNXAK.ps1	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.68.120
	Q6EK7dte4N.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	Dsyhre- approved on Wednesday March 2025.pdf	Get hash	malicious	Gabagool	Browse	172.67.74.152
	9ua5N7dcBZ.exe	Get hash	malicious	Amadey, RHADAMANTHYS	Browse	172.64.41.3
	https://tb.boldntfst.shop/	Get hash	malicious	Unknown	Browse	172.67.154.53
	Venom.6.0.3.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	https://gamma.app/docs/Acme-Marinas-u6y65o1kwdzhz1k?mode=present#card-8msfzjulvjyffwk	Get hash	malicious	HTMLPhisher	Browse	104.18.11.200

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.075941957297543
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QUOTATION_FEBQUOTE312025PDF.scr.exe
File size:	2'265'088 bytes
MD5:	6126dfbcef916c031c1b9c9906dbfa69
SHA1:	3d7cf8fb4c7832bc917d43c9551907b8633da776
SHA256:	7bcb379b68f81b941856cd711980a14a8e3ae8954c1328342185d77511617e50
SHA512:	cab1ba590a95c164bbcbf58344bc56cef50bfae0b30e6f12b67347d53d05e486450bd5b9f6dcc8584c7774e34679a51d7f23895722d4a4cd56c8a3e32b5b8e2f
SSDEEP:	24576:eXzqApELtMXIcflDsx+8O5mw32Yc4hxpZdawZxY8QOTkEGZvHY6JLab:MOwxp84mwGYXhxpZsk3W3fY6JLa
TLSH:	8BA53923FE47ABF1C2542777FADB4C0053A4E6817717D65FB9CA636A1843BBA8940207
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d..g.................t".........n.".. ...."...@.. ........................"...........`................................

File Icon


Icon Hash:	0f7968e428693107

Static PE Info

General

Entrypoint:	0x62926e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D0F964 [Wed Mar 12 03:03:00 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x229220	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22a000	0x177c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x227274	0x227400	9f50087b727225d39d5b08d03db00c0c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22a000	0x177c	0x1800	11ca8fd85b3b7f70077371de07e684ad	False	0.37109375	data	5.247511295178287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22c000	0xc	0x200	dffc6b9e899b2cc62160d46c25a2fa28	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x22a160	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768	0.48623853211009177
RT_ICON	0x22a4c8	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072	0.3333333333333333
RT_GROUP_ICON	0x22b170	0x22	data	0.9705882352941176
RT_VERSION	0x22b194	0x3fc	data	0.40490196078431373
RT_MANIFEST	0x22b590	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	AhnLab V3 Lite Main UI Application
CompanyName	AhnLab, Inc.
FileDescription	AhnLab V3 Lite Main UI Application
FileVersion	4.0.0.117
InternalName	Yepvtzyf.exe
LegalCopyright	2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks
OriginalFilename	Yepvtzyf.exe
ProductName	AhnLab V3 Lite
ProductVersion	4.0.0.117
Assembly Version	4.0.0.117

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T18:42:40.734395+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49725	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 18:42:39.814795017 CET	49725	80	192.168.2.4	193.122.6.168
Mar 12, 2025 18:42:39.819498062 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:42:39.819595098 CET	49725	80	192.168.2.4	193.122.6.168
Mar 12, 2025 18:42:39.820058107 CET	49725	80	192.168.2.4	193.122.6.168
Mar 12, 2025 18:42:39.824976921 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:42:40.476721048 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:42:40.487901926 CET	49725	80	192.168.2.4	193.122.6.168
Mar 12, 2025 18:42:40.492635012 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:42:40.679904938 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:42:40.690725088 CET	49726	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:40.690762043 CET	443	49726	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:40.690838099 CET	49726	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:40.700511932 CET	49726	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:40.700537920 CET	443	49726	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:40.734395027 CET	49725	80	192.168.2.4	193.122.6.168
Mar 12, 2025 18:42:48.824048996 CET	443	49726	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:48.824295044 CET	49726	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:48.852075100 CET	49726	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:48.852104902 CET	443	49726	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:48.854197979 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:48.854232073 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:48.854321003 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:48.854650021 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:48.854664087 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:57.009588003 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 18:42:57.009742022 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:57.011223078 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 18:42:57.011260986 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 18:43:22.760066032 CET	63283	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:22.764842987 CET	53	63283	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:22.764929056 CET	63283	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:22.770165920 CET	53	63283	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:23.248095989 CET	63283	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:23.254148960 CET	53	63283	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:23.254256010 CET	63283	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:40.492830992 CET	50263	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:40.497874975 CET	53	50263	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:40.497962952 CET	50263	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:40.503242016 CET	53	50263	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:40.967749119 CET	50263	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:40.973110914 CET	53	50263	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:40.973177910 CET	50263	53	192.168.2.4	162.159.36.2
Mar 12, 2025 18:43:45.680572033 CET	80	49725	193.122.6.168	192.168.2.4
Mar 12, 2025 18:43:45.680689096 CET	49725	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 18:42:39.800205946 CET	60728	53	192.168.2.4	1.1.1.1
Mar 12, 2025 18:42:39.807018995 CET	53	60728	1.1.1.1	192.168.2.4
Mar 12, 2025 18:42:40.682209969 CET	54999	53	192.168.2.4	1.1.1.1
Mar 12, 2025 18:42:40.689610958 CET	53	54999	1.1.1.1	192.168.2.4
Mar 12, 2025 18:43:21.751039028 CET	50693	53	192.168.2.4	1.1.1.1
Mar 12, 2025 18:43:21.758981943 CET	53	50693	1.1.1.1	192.168.2.4
Mar 12, 2025 18:43:22.758725882 CET	53	62442	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:23.254538059 CET	51275	53	192.168.2.4	1.1.1.1
Mar 12, 2025 18:43:23.275908947 CET	53	51275	1.1.1.1	192.168.2.4
Mar 12, 2025 18:43:40.491722107 CET	53	64988	162.159.36.2	192.168.2.4
Mar 12, 2025 18:43:40.980830908 CET	53	58218	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 18:42:39.800205946 CET	192.168.2.4	1.1.1.1	0xb12d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.682209969 CET	192.168.2.4	1.1.1.1	0x4aaa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.751039028 CET	192.168.2.4	1.1.1.1	0x86b5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:23.254538059 CET	192.168.2.4	1.1.1.1	0xb597	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:39.807018995 CET	1.1.1.1	192.168.2.4	0xb12d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:42:40.689610958 CET	1.1.1.1	192.168.2.4	0x4aaa	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:21.758981943 CET	1.1.1.1	192.168.2.4	0x86b5	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 18:43:23.275908947 CET	1.1.1.1	192.168.2.4	0xb597	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49725	193.122.6.168	80	7564	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 18:42:39.820058107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 18:42:40.476721048 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 17:42:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 18:42:40.487901926 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 18:42:40.679904938 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 17:42:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Target ID:	0
Start time:	13:41:48
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025PDF.scr.exe"
Imagebase:	0x100000
File size:	2'265'088 bytes
MD5 hash:	6126DFBCEF916C031C1B9C9906DBFA69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1733436944.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1730533843.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1730533843.00000000038EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1723688514.0000000002761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:42:38
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000008.00000002.2475864432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2478463480.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2478463480.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_FEBQUOTE312025PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
QUOTATION_FEBQUOTE312025PDF.scr.exe