Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION_MARQUOTE312025#U00faPDF.scr

Overview

General Information

Sample name:QUOTATION_MARQUOTE312025#U00faPDF.scr
renamed because original name is a hash value
Original sample name:QUOTATION_MARQUOTE312025PDF.scr
Analysis ID:1637189
MD5:13ba19e0b6739fc60f03922aed943dc9
SHA1:4d7b9cb1ebe9c068313e34653301a96a8ea33de3
SHA256:81ff89ae24ade11b7adca19d9fc34b31b1b77caf3125ad8dbb40a47fb0f62b53
Infos:

Detection

MSIL Logger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Yara detected MSIL Logger
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w7x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.478478560.0000000005FB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.476666794.0000000003241000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.476666794.0000000003241000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
          00000002.00000002.626748654.00000000000F2000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
              0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.32dc29e.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.5fb0000.16.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.32dc29e.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.5fb0000.16.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                      Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr, QueryName: checkip.dyndns.org

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-13T11:54:44.231996+010028032742Potentially Bad Traffic192.168.2.2249163193.122.130.080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.22:49164 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 198.16.88.194:443 -> 192.168.2.22:49162 version: TLS 1.2
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478120535.0000000005030000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003141000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478120535.0000000005030000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003141000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 042A9457h0_2_042A92D3
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 042A3D89h0_2_042A3B49
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 042A3D89h0_2_042A3B58
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 042A344Ah0_2_042A33C8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0528DDD8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 0031E489h2_2_0031DDFA
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then jmp 0031E489h2_2_0031DE3E
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_005162A0
                      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlHLacog&pk_vid=7138c067f80045c41741845350c1eb95 HTTP/1.1Host: 2015.filemail.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlHLacog&pk_vid=7138c067f80045c41741845350c1eb95 HTTP/1.1Host: 2015.filemail.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 198.16.88.194 198.16.88.194
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrDNS query: name: reallyfreegeoip.org
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49163 -> 193.122.130.0:80
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.22:49164 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlHLacog&pk_vid=7138c067f80045c41741845350c1eb95 HTTP/1.1Host: 2015.filemail.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlHLacog&pk_vid=7138c067f80045c41741845350c1eb95 HTTP/1.1Host: 2015.filemail.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: 2015.filemail.com
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000020E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2015.filemail.com
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrString found in binary or memory: http://2015.filemail.com/api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlHL
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comX
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/X
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgX
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.0000000000727000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.0000000000727000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgX
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.000000000210D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2015.filemail.com
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.000000000210D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2015.filemail.com/api/file/get?filekey=YmcBf_yCowIJ_-0OSJ2J32Pq63RhMjfKVYVyiQ7wAVRg61cKgsdlH
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.626903540.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627060723.00000000021AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189X
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.627336429.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                      Source: unknownHTTPS traffic detected: 198.16.88.194:443 -> 192.168.2.22:49162 version: TLS 1.2

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04317FF8 NtResumeThread,0_2_04317FF8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04317FF0 NtResumeThread,0_2_04317FF0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0034CD080_2_0034CD08
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_003434B70_2_003434B7
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_00341BDF0_2_00341BDF
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0034C3780_2_0034C378
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_003418DB0_2_003418DB
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_003419610_2_00341961
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_00341C360_2_00341C36
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_01E92F280_2_01E92F28
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04125C2A0_2_04125C2A
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0412DCB00_2_0412DCB0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0412CF800_2_0412CF80
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0412B0E80_2_0412B0E8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04123AEA0_2_04123AEA
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041244100_2_04124410
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041244000_2_04124400
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0412DCA10_2_0412DCA1
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041233C00_2_041233C0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04158C700_2_04158C70
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041538600_2_04153860
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0415649B0_2_0415649B
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04154B290_2_04154B29
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041500060_2_04150006
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041538500_2_04153850
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_041500400_2_04150040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04158CB90_2_04158CB9
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04158CC80_2_04158CC8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0415BE200_2_0415BE20
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0415AAD80_2_0415AAD8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0415AAC90_2_0415AAC9
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A00400_2_042A0040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A51D00_2_042A51D0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A51C60_2_042A51C6
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A72280_2_042A7228
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A72190_2_042A7219
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042C00400_2_042C0040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042C3A500_2_042C3A50
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042C12480_2_042C1248
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042C03670_2_042C0367
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04310B180_2_04310B18
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04310C960_2_04310C96
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_043151310_2_04315131
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_043145BF0_2_043145BF
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04310B080_2_04310B08
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04311F920_2_04311F92
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_043163980_2_04316398
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D2E7C80_2_04D2E7C8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D200400_2_04D20040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D27D900_2_04D27D90
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D27DA00_2_04D27DA0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D2C6D30_2_04D2C6D3
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D2C6E00_2_04D2C6E0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D29A680_2_04D29A68
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D273A00_2_04D273A0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D25B450_2_04D25B45
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D293180_2_04D29318
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D293080_2_04D29308
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0528F5780_2_0528F578
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_052800400_2_05280040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_05E6F8C00_2_05E6F8C0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_05E500400_2_05E50040
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_05E500190_2_05E50019
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_05E6E3100_2_05E6E310
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031AA702_2_0031AA70
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00313A602_2_00313A60
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031C3D02_2_0031C3D0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031BCA02_2_0031BCA0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00312DED2_2_00312DED
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031C0302_2_0031C030
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031D0E82_2_0031D0E8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_003199282_2_00319928
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0031AA602_2_0031AA60
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00313A502_2_00313A50
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_003142F02_2_003142F0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_003137A82_2_003137A8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_003137982_2_00313798
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00318FD72_2_00318FD7
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005060C12_2_005060C1
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0050C8582_2_0050C858
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005070D82_2_005070D8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00507C882_2_00507C88
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005020BE2_2_005020BE
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005034A92_2_005034A9
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005061CA2_2_005061CA
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005025E42_2_005025E4
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0050365D2_2_0050365D
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00501A452_2_00501A45
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005066152_2_00506615
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00506E3F2_2_00506E3F
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00501F112_2_00501F11
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005162A02_2_005162A0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0051A0082_2_0051A008
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005154212_2_00515421
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005170F02_2_005170F0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005179552_2_00517955
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005171002_2_00517100
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005161E32_2_005161E3
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00515D882_2_00515D88
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00515E082_2_00515E08
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_005162902_2_00516290
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00510BC32_2_00510BC3
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0051B79A2_2_0051B79A
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_007700142_2_00770014
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_007754B02_2_007754B0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_007754A02_2_007754A0
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_007776B62_2_007776B6
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_007776B82_2_007776B8
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_00774AAF2_2_00774AAF
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 2_2_0077671A2_2_0077671A
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.0000000002734000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000000.355807967.0000000000463000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOhvfxjialif.exe> vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478356891.0000000005D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSlnviws.dll" vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473314744.0000000000674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478120535.0000000005030000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.000000000210D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003141000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSlnviws.dll" vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000031B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.626903540.0000000000554000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000002.00000002.626775980.000000000013A000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrBinary or memory string: OriginalFilenameOhvfxjialif.exe> vs QUOTATION_MARQUOTE312025#U00faPDF.scr
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, SimpleSubscriber.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, ry2y1e0rYXj2S9Ae1lO.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, ry2y1e0rYXj2S9Ae1lO.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, QLB6gt9947mnOV3RnGD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, UFJwYskR7Ktwc6SIEZ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winSCR@3/0@7/3
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMutant created: NULL
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr" /S
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess created: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr"
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess created: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr"Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: wow64win.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: credssp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: wow64win.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: wow64cpu.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: bcrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: credssp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rpcrtremote.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scrStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478120535.0000000005030000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003141000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478120535.0000000005030000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003141000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.478070470.0000000004D90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.476666794.0000000003445000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, ry2y1e0rYXj2S9Ae1lO.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.cs.Net Code: Type.GetTypeFromHandle(x6P8onQpbI425ng7Iy3.JSvK26TqsK(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(x6P8onQpbI425ng7Iy3.JSvK26TqsK(16777255)),Type.GetTypeFromHandle(x6P8onQpbI425ng7Iy3.JSvK26TqsK(16777285))})
                      .NET source code contains potential unpacker
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, ActiveOrder.cs.Net Code: HandleScalableOrder System.AppDomain.Load(byte[])
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.3141510.7.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.30f14f0.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.32dc29e.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.5fb0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.32dc29e.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.5fb0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.335ba90.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.329c27e.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.335ba90.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.478478560.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.476666794.000000000335B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.476666794.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3424, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_01E952B4 pushad ; retf 0_2_01E952C1
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_01E936AC push 0C057F4Ch; ret 0_2_01E936BD
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04125524 push ebp; retf 0_2_04125526
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_0415178C pushad ; iretd 0_2_0415178D
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_042A9FEC pushfd ; retf 005Ah0_2_042A9FED
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrCode function: 0_2_04D23DE6 push ebp; ret 0_2_04D23DE7
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, ry2y1e0rYXj2S9Ae1lO.csHigh entropy of concatenated method names: 'QrewvnOMoCXgHZnOfBL', 'H8jKZAOWHEnLUWSwvn7', 'T29R8VUJMe', 'vh0ry9Sq2v', 'a7DRFRXo5K', 'IS4RgtAAZ9', 'sRoRhh1QxT', 'gshR2dlCuG', 'Mt8F3DpRu6', 'j150PxJU58'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, KaJDVY21VyRMRm4AJy.csHigh entropy of concatenated method names: 'GAv4HCrM6', 'OkHLiW9v8', 'Equals', 'GetHashCode', 'nMLbPcEZG', 'ToString', 'h3qMeoIpIX43wkmuuuZ', 'USjVhxIiqPFAsHyEQAH', 'Equals', 'GetHashCode'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, tEn5vCRwe8SvqlFSrFh.csHigh entropy of concatenated method names: 'nueRGyE7qZ', 'WawRfMJ5am', 'uQfRXeV5Ia', 'VOvRjvH4uK', 'OjQRMvIfvW', 'a2nRW6ffiK', 'LeMR7nn3SQ', 'C6gR5hLLfY', 'bqyR3QcQB1', 'ovSRyUk472'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, QLB6gt9947mnOV3RnGD.csHigh entropy of concatenated method names: 'DslxTP7eng', 'z0Lx9kmpXr', 'bKfxcSbSDn', 'RT5xR1p4RK', 'lNHxJpmYNK', 'ssPxO51WyF', 'I2N9GEJje1b6Hp21hMk', 'YS5RNVJMx8ahRiNuLaE', 'sgp98uXPcG', 'nEP90kR7Lu'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, UFJwYskR7Ktwc6SIEZ.csHigh entropy of concatenated method names: 'cUuTtRZSQh', 'hLMTmgX4jw', 'zPg7EDJhClp7QM5KjE7', 'DXauFBJ2JRQMYBaW1Ow', 'NAoTVfqQop', 'MLyTrbRg8P', 'lrrTLd3vvB', 'fIXTfGOCCm', 'LT3TXxKbEq', 'fXnTM1cert'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, MozilSpeed.csHigh entropy of concatenated method names: 'tqnxkGN03d', 'Lg3xuEVpPg', 'o9IxDaISA2', 'cTLxBIx7YK', 'AtcxzKidiZ', 'Vm78nYtxxq', 'dClIgZOIZNyAEiwZXpp', 'miaiYLOJMlcK6HKuSHE', 'AyC8cpZFCQ', 'Wc98R3q0qq'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, GtGJcVysHAcgDS7Ipn9.csHigh entropy of concatenated method names: 'eVDwBEEl6E68uwQvMOI', 'fVF2MNEdQOMmBtsoUIO', 'aJEQt2hHxc', 'vh0ry9Sq2v', 'bUpQkjnUjH', 'IDiQeZogtD', 'spIQ3Soj9C', 'ldXQwUikrs', 'oABKVXhZLZ', 'AVWy1jHOyv'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, sLggdY2ZGUwNj0SqWcW.csHigh entropy of concatenated method names: 'RmjS3pe4dA', 'V3ISwKMIdE', 'SMvSDWNMTV', 'oitYSFbiJZOYueuTKaP', 'vvA8Xcb8HWJTbVirhQE', 'qdL2RuwDDv', 'zVw2AEWJYv', 'mYO2Gf85M1', 'BLv2z98Ntg', 'wMbSn1NC1I'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, estXs7QcysUifyngKSm.csHigh entropy of concatenated method names: 'WxCQxG0jhr', 'ClKQbxrT9P', 'bQPQE8Vvtg', 'e72Quw30j5', 'zavQqah1q0', 'vBuQKxFMHO', 'NnEQLksqce', 'VjbQZLsGET', 'oSHQXJrKKS', 'LddQRaY8kJ'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, sPALwASxMCLw1KpM57C.csHigh entropy of concatenated method names: 'b3jSKOQPS0', 'v7TSL16ZyR', 'N6xSZWNLXI', 'G1KSX9oKsP', 'ulmSR22JRv', 'lLTSAvnJMi', 'paPSG2qRpU', 'CfOSzM2DM8', 'xKuyng6S3l', 'QYOyr8xD7j'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, CljXSsQAkMU7ih7IXFh.csHigh entropy of concatenated method names: 'QMQ4GTmMoy', 'yM14zgPTon', 'vQVNnjWqyu', 'tnRNr6e2b3', 'FTaNopJ721', 'Ok7Nm7dcmF', 'njONY1SF08', 'eT29N2BPdc', 'r9LNhqbT9p', 'caTNlMgy8r'
                      Source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.34fc620.8.raw.unpack, XQ5d7tr2H7O3ZFaBM3u.csHigh entropy of concatenated method names: 'GaYryHtNCX', 'T5XrQ6VWSP', 'gyFrkMTKHI', 'vsYr3TR40U', 'fxVrDVSHKa', 'JL9rNSbtXx', 'tulr0pYCF6', 'WC5rWgUwwP', 'QZpri2dIw6', 'VvurUYDuhj'

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 20E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 310000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 2120000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: 6C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrWindow / User API: threadDelayed 1230Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrWindow / User API: threadDelayed 8598Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr TID: 3500Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr TID: 3500Thread sleep time: -7200000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr TID: 3504Thread sleep count: 1230 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr TID: 3504Thread sleep count: 8598 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr TID: 3748Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrThread delayed: delay time: 600000Jump to behavior
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: QUOTATION_MARQUOTE312025#U00faPDF.scr, 00000000.00000002.473407134.00000000021A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrMemory written: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr base: F0000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrProcess created: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr "C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr"Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrQueries volume information: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrQueries volume information: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scr VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.476666794.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.626748654.00000000000F2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.476666794.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3704, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3704, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTATION_MARQUOTE312025#U00faPDF.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                      Source: Yara matchFile source: 00000002.00000002.627060723.0000000002237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3704, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTATION_MARQUOTE312025#U00faPDF.scr.31da600.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.476666794.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.626748654.00000000000F2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.476666794.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3424, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3704, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 00000002.00000002.627060723.0000000002121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTATION_MARQUOTE312025#U00faPDF.scr PID: 3704, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Modify Registry                      		1
                      OS Credential Dumping                      		1
                      Query Registry                      		Remote Services1
                      Email Collection                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory11
                      Security Software Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		31
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin Shares1
                      Data from Local System                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS31
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture13
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Install Root Certificate                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                      Software Packing                      		Proc Filesystem13
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.