Edit tour

Windows Analysis Report
QUOTATION_FEBQUOTE312025#U00faPDF.scr

Overview

General Information

Sample name:	QUOTATION_FEBQUOTE312025#U00faPDF.scr renamed because original name is a hash value
Original sample name:	QUOTATION_FEBQUOTE312025PDF.scr
Analysis ID:	1636987
MD5:	4fe043bea3ad3955bda69278e57c263b
SHA1:	56a8523cbc82688216897074bed808f5f542d2ff
SHA256:	d2b721995e1d955002c31533c67e39f12d07ee8ce2f240bbcf6cb06d720a8646
Infos:

Detection

MSIL Logger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected Telegram RAT

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

QUOTATION_FEBQUOTE312025#U00faPDF.scr (PID: 1156 cmdline: "C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr" /S MD5: 4FE043BEA3AD3955BDA69278E57C263B)

InstallUtil.exe (PID: 7600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1823939915.00000000055C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.2568483160.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.2570061941.0000000003399000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: InstallUtil.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7600	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: InstallUtil.exe PID: 7600	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 9 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T09:52:02.116822+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	58086	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Avira: detected

Multi AV Scanner detection for submitted file

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr	Virustotal: Detection: 78%			Perma Link
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr	ReversingLabs: Detection: 83%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:58087 version: TLS 1.0

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824930585.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003C71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824930585.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003C71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.4:58085 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:58086 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:58087 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58087
Source: unknown	Network traffic detected: HTTP traffic on port 58087 -> 443

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824930585.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811444209.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000000.1313816844.00000000006F7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameItigoiauxnh.exe> vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1820722956.0000000004FB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLvciawyijt.dll" vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_FEBQUOTE312025#U00faPDF.scr
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr	Binary or memory string: OriginalFilenameItigoiauxnh.exe> vs QUOTATION_FEBQUOTE312025#U00faPDF.scr

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winSCR@3/0@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe, 00000002.00000002.2570061941.0000000003346000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.0000000003364000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.0000000003356000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr	Virustotal: Detection: 78%
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr	ReversingLabs: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr" /S
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static file information: File size 1668096 > 1048576

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x145400

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824930585.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003C71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824930585.0000000005F10000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003C71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, GroupedArgument.cs

.Net Code: ValidateIdentifiableArgument System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 00000000.00000002.1823939915.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156, type: MEMORYSTR

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr

Static PE information: section name: .text entropy: 7.861163348076448

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr TID: 1376	Thread sleep count: 53 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr TID: 1376	Thread sleep time: -52947s >= -30000s			Jump to behavior

Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000002.00000002.2569265122.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 44A000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1068008	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Queries volume information: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2568483160.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7600, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7600, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000002.00000002.2570061941.0000000003399000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7600, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2568483160.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION_FEBQUOTE312025#U00faPDF.scr PID: 1156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7600, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION_FEBQUOTE312025#U00faPDF.scr	78%	Virustotal		Browse
QUOTATION_FEBQUOTE312025#U00faPDF.scr	83%	ReversingLabs	ByteCode-MSIL.Trojan.Injuke
QUOTATION_FEBQUOTE312025#U00faPDF.scr	100%	Avira	TR/AD.GenSteal.dnrrh

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-neti	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	InstallUtil.exe, 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	InstallUtil.exe, 00000002.00000002.2570061941.00000000032FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.2570061941.00000000032FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000004083000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1824269542.0000000005640000.00000004.08000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	InstallUtil.exe, 00000002.00000002.2570061941.00000000032CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_FEBQUOTE312025#U00faPDF.scr, 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	InstallUtil.exe, 00000002.00000002.2570061941.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636987
Start date and time:	2025-03-13 09:49:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_FEBQUOTE312025#U00faPDF.scr renamed because original name is a hash value
Original Sample Name:	QUOTATION_FEBQUOTE312025PDF.scr
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winSCR@3/0@2/2
Cookbook Comments:	Found application associated with file extension: .scr

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:51:43	API Interceptor	23x Sleep call for process: QUOTATION_FEBQUOTE312025#U00faPDF.scr modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	Compliance_Review_Documents_COSCO20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	0xHPSESJcg.exe	Get hash	malicious	FormBook	Browse	www.otogel.pro/oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	IBbGrGi4A7.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ysWQ4BqQrF.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==
	TXzf0xX2uq.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	begin.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	www.kdrqcyusevx.info/z84n/
	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	Payment.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
158.101.44.242	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	rDatosbancarios.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pbgjw8i8N7.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	bddTkmucZP.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	miori.x86.elf	Get hash	malicious	Unknown	Browse	132.145.140.102
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
CLOUDFLARENETUS	https://stearncommmunity.com/profiles/52829086342741	Get hash	malicious	Unknown	Browse	172.67.184.158
	https://9b861c16-89be-495d-af06-94ec1b71b5cd-00-3shcaiuf2cafc.worf.replit.dev/	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://saleemitraders.com/wp/confirm.html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	188.114.97.3
	https://sceanmcommnunmnlty.com/xroea/spwoe/zxiwe	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://s.team-ut.com/p/jgct-dvmcn/wjpamdwv	Get hash	malicious	Unknown	Browse	104.21.64.1
	https://case-id-1000228223704.counselschambers.co.uk/	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	https://t.co/E2W9evnxED	Get hash	malicious	HTMLPhisher	Browse	104.21.17.201
	https://case-id-1000228219812.counselschambers.co.uk/	Get hash	malicious	HTMLPhisher	Browse	172.67.168.191
	https://sceanmcommnunmnlty.com/sotep/aofpe/zoepr	Get hash	malicious	Unknown	Browse	104.21.80.1
	https://case-id-1000228220021.counselschambers.co.uk/	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	efs.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	Product Order Hirsch 1475.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	8QeI7CboDY.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.16382286824618
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	QUOTATION_FEBQUOTE312025#U00faPDF.scr
File size:	1'668'096 bytes
MD5:	4fe043bea3ad3955bda69278e57c263b
SHA1:	56a8523cbc82688216897074bed808f5f542d2ff
SHA256:	d2b721995e1d955002c31533c67e39f12d07ee8ce2f240bbcf6cb06d720a8646
SHA512:	7855f907d948c00dc8e74f2eba5da79aab1b5734529ad8339562ae9f53345112807db0429ef623dcae4b48ed8e9b974f7fce78963a36193601a674193ad43b50
SSDEEP:	24576:CFE06H12KhUKQbXKe1QrMWXGFOZk7PVzFkndvORivosJ2FKjHqknu0:CFH6H12SUae1WMWVZAPT29O5syUHxu
TLSH:	5575D087B6B681B1CA50DB37C4E7190043A7ED45A7E2C71A28C973590A377BE8B53387
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<e.g.................T..........^s... ........@.. ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x54735e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C9653C [Thu Mar 6 09:05:00 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x147310	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x148000	0x51ae4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x145364	0x145400	f0908ae5b32f558f955e25e8c59b38f5	False	0.9192395573116833	data	7.861163348076448	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x148000	0x51ae4	0x51c00	ee484e4bd25e7c6a8360c0ccd56e9644	False	0.07142345183486239	data	2.352682013174501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19a000	0xc	0x200	f46738a478f34a30a11d4d78bb53efb3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x148370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x148498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x148800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x148c68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x148f50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x149bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x14aca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x14b308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x14cfb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x14f558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x14ffc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x1531e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x157410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x199438	0xbc	data	0.5797872340425532
RT_VERSION	0x1994f4	0x404	data	0.4036964980544747
RT_MANIFEST	0x1998f8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	AhnLab V3 Lite Main UI Application
CompanyName	AhnLab, Inc.
FileDescription	AhnLab V3 Lite Main UI Application
FileVersion	4.0.0.117
InternalName	Itigoiauxnh.exe
LegalCopyright	2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks
OriginalFilename	Itigoiauxnh.exe
ProductName	AhnLab V3 Lite
ProductVersion	4.0.0.117
Assembly Version	4.0.0.117

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T09:52:02.116822+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	58086	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 09:51:31.968234062 CET	58085	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:51:31.972991943 CET	53	58085	1.1.1.1	192.168.2.4
Mar 13, 2025 09:51:31.973083019 CET	58085	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:51:31.977853060 CET	53	58085	1.1.1.1	192.168.2.4
Mar 13, 2025 09:51:32.436952114 CET	58085	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:51:32.442980051 CET	53	58085	1.1.1.1	192.168.2.4
Mar 13, 2025 09:51:32.443108082 CET	58085	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:52:01.328071117 CET	58086	80	192.168.2.4	158.101.44.242
Mar 13, 2025 09:52:01.332884073 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:52:01.332946062 CET	58086	80	192.168.2.4	158.101.44.242
Mar 13, 2025 09:52:01.333211899 CET	58086	80	192.168.2.4	158.101.44.242
Mar 13, 2025 09:52:01.337846994 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:52:01.907402992 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:52:01.913964033 CET	58086	80	192.168.2.4	158.101.44.242
Mar 13, 2025 09:52:01.918796062 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:52:02.070343971 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:52:02.080246925 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:02.080291986 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:02.080353022 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:02.090930939 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:02.090945959 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:02.116822004 CET	58086	80	192.168.2.4	158.101.44.242
Mar 13, 2025 09:52:03.944679976 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:03.944765091 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:03.948749065 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:03.948761940 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:03.949117899 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:03.991811991 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:04.000535011 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:04.044327974 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:04.741264105 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:04.741442919 CET	443	58087	104.21.64.1	192.168.2.4
Mar 13, 2025 09:52:04.741823912 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:52:04.781903028 CET	58087	443	192.168.2.4	104.21.64.1
Mar 13, 2025 09:53:07.069581985 CET	80	58086	158.101.44.242	192.168.2.4
Mar 13, 2025 09:53:07.069647074 CET	58086	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 09:51:31.967761040 CET	53	59862	1.1.1.1	192.168.2.4
Mar 13, 2025 09:52:01.311664104 CET	53673	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:52:01.318608999 CET	53	53673	1.1.1.1	192.168.2.4
Mar 13, 2025 09:52:02.072005987 CET	53327	53	192.168.2.4	1.1.1.1
Mar 13, 2025 09:52:02.079480886 CET	53	53327	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 09:52:01.311664104 CET	192.168.2.4	1.1.1.1	0x9d79	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.072005987 CET	192.168.2.4	1.1.1.1	0x6883	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:01.318608999 CET	1.1.1.1	192.168.2.4	0x9d79	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 09:52:02.079480886 CET	1.1.1.1	192.168.2.4	0x6883	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	58086	158.101.44.242	80	7600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 09:52:01.333211899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 09:52:01.907402992 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 08:52:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b700168d68cff1bf64a74c79adda9f43 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 09:52:01.913964033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 09:52:02.070343971 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 08:52:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e9ab5486ef4a9c16507db1e80231bd73 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	58087	104.21.64.1	443	7600	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 08:52:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-13 08:52:04 UTC	844	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 08:52:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 cf-cache-status: MISS last-modified: Thu, 13 Mar 2025 08:52:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xvlyGD7x7CI%2BSkfcWvQQD4MkXQxXSx7tkPc7NwzUg9XaNcZoC384byhzA%2F6guc1Ws89sfiff%2FgrbFFt8cR2dFXE2ByVzpcd9kW3RT8lxlkZIImPhG2yWlFIhVfMiMGx6NHs2bkND"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa4b067c36475c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25147&min_rtt=23983&rtt_var=8764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=100020&cwnd=218&unsent_bytes=0&cid=f4356951c0e78fde&ts=911&x=0"
2025-03-13 08:52:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:51:10
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION_FEBQUOTE312025#U00faPDF.scr" /S
Imagebase:	0x560000
File size:	1'668'096 bytes
MD5 hash:	4FE043BEA3AD3955BDA69278E57C263B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1823939915.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1818939810.0000000003EAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1818939810.0000000003F9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1811828778.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:52:00
Start date:	13/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xec0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2568483160.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2570061941.0000000003399000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2570061941.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_FEBQUOTE312025#U00faPDF.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
QUOTATION_FEBQUOTE312025#U00faPDF.scr