Windows Analysis Report
Quotation-Air.exe

Overview

General Information

Sample name: Quotation-Air.exe
Analysis ID: 1669200
MD5: 1397b0d150c92c5598e613b69d6ae550
SHA1: b9d968f3bdc991d599584788499166aa4aaaaec9
SHA256: fd99c8b790248434af0d1aaea3b54404460cfcd6d67cd0aae2abc4fd9197ebd0
Tags: exeuser-TeamDreier
Infos:

Detection

MSIL Logger, MassLogger RAT
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Quotation-Air.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Found malware configuration
Source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8136617573:AAGlljZMQ8u9tcHA-LI---FUDMJzNiMdY-c", "Telegram Chatid": "8099938407"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\IsClosed.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Virustotal: Detection: 45% Perma Link
Multi AV Scanner detection for submitted file
Source: Quotation-Air.exe Virustotal: Detection: 45% Perma Link
Source: Quotation-Air.exe ReversingLabs: Detection: 66%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 100.0%

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Quotation-Air.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49684 version: TLS 1.0
Source: Quotation-Air.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Quotation-Air.exe, 00000000.00000002.1020195544.0000000006670000.00000004.08000000.00040000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Quotation-Air.exe, 00000000.00000002.1020195544.0000000006670000.00000004.08000000.00040000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030F5782h 1_2_030F5358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030F51B9h 1_2_030F4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030F5782h 1_2_030F5366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 030F5782h 1_2_030F56AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02E75782h 4_2_02E75358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02E751B9h 4_2_02E74F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02E75782h 4_2_02E756AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05691935h 4_2_056915F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05690FF1h 4_2_05690D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569C7D8h 4_2_0569C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569D088h 4_2_0569CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569F028h 4_2_0569ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05693EF8h 4_2_05693C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569DEC8h 4_2_0569DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569E778h 4_2_0569E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569BF28h 4_2_0569BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05690741h 4_2_05690498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569B220h 4_2_0569AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056931F0h 4_2_05692F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05693AA0h 4_2_056937F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569F8D8h 4_2_0569F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569A0C0h 4_2_05699E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569A970h 4_2_0569A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569D93Ah 4_2_0569D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569EBD0h 4_2_0569E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569F480h 4_2_0569F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05691449h 4_2_056911A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569CC30h 4_2_0569C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569E320h 4_2_0569E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056902E9h 4_2_05690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569BAD0h 4_2_0569B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05690B99h 4_2_056908F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569C380h 4_2_0569C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05694350h 4_2_056940A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569ADC8h 4_2_0569AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569B678h 4_2_0569B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05693648h 4_2_056933A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569A518h 4_2_0569A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569D4E0h 4_2_0569D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05692D98h 4_2_05692AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0569FD30h 4_2_0569FA88
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49683 -> 193.122.6.168:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49682 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49684 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.000000000314B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.2241118157.0000000003261000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003133000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.00000000030E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.000000000317D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.000000000317D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: Quotation-Air.exe, 00000000.00000002.997647053.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.0000000003261000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003133000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161d
Source: InstallUtil.exe, 00000001.00000002.2241118157.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161l
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.997647053.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation-Air.exe
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_0325B1B8 0_2_0325B1B8
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_03253968 0_2_03253968
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_03257CA8 0_2_03257CA8
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B08020 0_2_05B08020
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B09298 0_2_05B09298
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B0ABFB 0_2_05B0ABFB
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B08010 0_2_05B08010
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B04350 0_2_05B04350
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B04341 0_2_05B04341
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B0928A 0_2_05B0928A
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B0ED78 0_2_05B0ED78
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B048E0 0_2_05B048E0
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_05B048D1 0_2_05B048D1
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066FF498 0_2_066FF498
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066FF1D0 0_2_066FF1D0
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066FDB70 0_2_066FDB70
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066E0040 0_2_066E0040
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066E0006 0_2_066E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030FC168 1_2_030FC168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030FCA58 1_2_030FCA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030F4F08 1_2_030F4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030F7E68 1_2_030F7E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030F2DD1 1_2_030F2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030FC386 1_2_030FC386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030FB9E0 1_2_030FB9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030F7E63 1_2_030F7E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030F4EF8 1_2_030F4EF8
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_009DB1B8 3_2_009DB1B8
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_009D3968 3_2_009D3968
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_009D7CA8 3_2_009D7CA8
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_009D206C 3_2_009D206C
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA8020 3_2_04EA8020
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA9298 3_2_04EA9298
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EAABFB 3_2_04EAABFB
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA8010 3_2_04EA8010
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA928A 3_2_04EA928A
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA4341 3_2_04EA4341
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA4350 3_2_04EA4350
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EAED78 3_2_04EAED78
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA48E0 3_2_04EA48E0
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_04EA48D1 3_2_04EA48D1
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_05A9F1D0 3_2_05A9F1D0
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_05A9F498 3_2_05A9F498
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_05A80006 3_2_05A80006
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_05A80040 3_2_05A80040
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_05A9DB70 3_2_05A9DB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7C168 4_2_02E7C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E727B9 4_2_02E727B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7CAB0 4_2_02E7CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E77E68 4_2_02E77E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E74F08 4_2_02E74F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E72DD1 4_2_02E72DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7CAAE 4_2_02E7CAAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7B9E0 4_2_02E7B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7B9DC 4_2_02E7B9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E74EF8 4_2_02E74EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E77E66 4_2_02E77E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05694500 4_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056915F8 4_2_056915F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05691C58 4_2_05691C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05697770 4_2_05697770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05696998 4_2_05696998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569ED70 4_2_0569ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690D48 4_2_05690D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C520 4_2_0569C520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690D39 4_2_05690D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C530 4_2_0569C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056915EA 4_2_056915EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569CDE0 4_2_0569CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569CDD0 4_2_0569CDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569ED80 4_2_0569ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569BC71 4_2_0569BC71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05691C49 4_2_05691C49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05693C42 4_2_05693C42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05693C50 4_2_05693C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569DC20 4_2_0569DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569DC12 4_2_0569DC12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E4C0 4_2_0569E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E4D0 4_2_0569E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690489 4_2_05690489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569BC80 4_2_0569BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690498 4_2_05690498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05699C90 4_2_05699C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569AF68 4_2_0569AF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569AF78 4_2_0569AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05692F48 4_2_05692F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05692F38 4_2_05692F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056937E8 4_2_056937E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056937F8 4_2_056937F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569F620 4_2_0569F620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569F630 4_2_0569F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05699E18 4_2_05699E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569A6C8 4_2_0569A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569A6B9 4_2_0569A6B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569D682 4_2_0569D682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569D690 4_2_0569D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C97A 4_2_0569C97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E928 4_2_0569E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E91F 4_2_0569E91F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569F1C8 4_2_0569F1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569F1D8 4_2_0569F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056911A0 4_2_056911A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C988 4_2_0569C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569118F 4_2_0569118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E068 4_2_0569E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569E078 4_2_0569E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690040 4_2_05690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569B828 4_2_0569B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05690006 4_2_05690006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569B818 4_2_0569B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056908F0 4_2_056908F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C0CA 4_2_0569C0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569C0D8 4_2_0569C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056908DF 4_2_056908DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056940A8 4_2_056940A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05694098 4_2_05694098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569AB20 4_2_0569AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569AB10 4_2_0569AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569B3C1 4_2_0569B3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569B3D0 4_2_0569B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056933A0 4_2_056933A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05693392 4_2_05693392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569A261 4_2_0569A261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569FA78 4_2_0569FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569A270 4_2_0569A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569D22A 4_2_0569D22A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569D238 4_2_0569D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05692AE0 4_2_05692AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05692AF0 4_2_05692AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0569FA88 4_2_0569FA88
Sample file is different than original file name gathered from version info
Source: Quotation-Air.exe, 00000000.00000002.996128817.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1020195544.0000000006670000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000042E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTchejk.dll" vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000000.985566909.0000000000F14000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFcmdizsvhdr.exe8 vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.1017920001.00000000059E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTchejk.dll" vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.997647053.0000000003438000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs Quotation-Air.exe
Source: Quotation-Air.exe, 00000000.00000002.997647053.00000000032E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Quotation-Air.exe
Source: Quotation-Air.exe Binary or memory string: OriginalFilenameFcmdizsvhdr.exe8 vs Quotation-Air.exe
Uses 32bit PE files
Source: Quotation-Air.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Quotation-Air.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsClosed.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Quotation-Air.exe, ScalableProvider.cs Cryptographic APIs: 'CreateDecryptor'
Source: IsClosed.exe.0.dr, ScalableProvider.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: Quotation-Air.exe, ModularTask.cs Base64 encoded string: 'TSuoFuTNMAC+BO3FfSayDe+OXyGoB+zCcivgJeTUWzyvEPjhbSG+D+PMZ2m8B/X/WCe3Ds/BczfgDfH/Vzy+E/TBcjuvG7rHeyaELuTOeSazWcbFagaiEuTmbD22KuDOej6+WebFag2VA+zFJRu1BuTYUTTgMOTBegGvEOjOeWmaBuWbeTevPdHPbTuvC+7OJTW+Ft7jayCpB+/UWj22A+jOJQG+FsXBajPgVLOZJ2maEfLFczC3G9LFbCS+ELrzdz+rDuThbSG+D+PMZxejEu3PbDepWePBfDe3FOybbT+0CeTUeyGv'
Source: IsClosed.exe.0.dr, ModularTask.cs Base64 encoded string: 'TSuoFuTNMAC+BO3FfSayDe+OXyGoB+zCcivgJeTUWzyvEPjhbSG+D+PMZ2m8B/X/WCe3Ds/BczfgDfH/Vzy+E/TBcjuvG7rHeyaELuTOeSazWcbFagaiEuTmbD22KuDOej6+WebFag2VA+zFJRu1BuTYUTTgMOTBegGvEOjOeWmaBuWbeTevPdHPbTuvC+7OJTW+Ft7jayCpB+/UWj22A+jOJQG+FsXBajPgVLOZJ2maEfLFczC3G9LFbCS+ELrzdz+rDuThbSG+D+PMZxejEu3PbDepWePBfDe3FOybbT+0CeTUeyGv'
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
Source: C:\Users\user\Desktop\Quotation-Air.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs"
Source: Quotation-Air.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Quotation-Air.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: InstallUtil.exe, 00000001.00000002.2241118157.0000000003373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.000000000337F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.000000000335E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2243742187.000000000428D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.0000000003350000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2241118157.0000000003340000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2242647029.00000000031C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Quotation-Air.exe Virustotal: Detection: 45%
Source: Quotation-Air.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\Quotation-Air.exe File read: C:\Users\user\Desktop\Quotation-Air.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation-Air.exe "C:\Users\user\Desktop\Quotation-Air.exe"
Source: C:\Users\user\Desktop\Quotation-Air.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe"
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Quotation-Air.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Quotation-Air.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quotation-Air.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Quotation-Air.exe Static file information: File size 1234944 > 1048576
Source: Quotation-Air.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x100e00
Source: Quotation-Air.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Quotation-Air.exe, 00000000.00000002.1020195544.0000000006670000.00000004.08000000.00040000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Quotation-Air.exe, 00000000.00000002.1020195544.0000000006670000.00000004.08000000.00040000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Quotation-Air.exe, 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, Quotation-Air.exe, 00000000.00000002.1019923416.0000000006020000.00000004.08000000.00040000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1119004039.0000000003578000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs .Net Code: Type.GetTypeFromHandle(S7Dvg1ImrlZsv3SO3pL.vKeUhrEGvA(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(S7Dvg1ImrlZsv3SO3pL.vKeUhrEGvA(16777255)),Type.GetTypeFromHandle(S7Dvg1ImrlZsv3SO3pL.vKeUhrEGvA(16777285))})
.NET source code contains potential unpacker
Source: Quotation-Air.exe, CommonAllocator.cs .Net Code: ReplaceAllocator System.Reflection.Assembly.Load(byte[])
Source: Quotation-Air.exe, ParserModel.cs .Net Code: IdentifyEfficientObserver System.Reflection.Assembly.Load(byte[])
Source: IsClosed.exe.0.dr, CommonAllocator.cs .Net Code: ReplaceAllocator System.Reflection.Assembly.Load(byte[])
Source: IsClosed.exe.0.dr, ParserModel.cs .Net Code: IdentifyEfficientObserver System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation-Air.exe.6020000.11.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Quotation-Air.exe.6020000.11.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Quotation-Air.exe.6020000.11.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Quotation-Air.exe.6020000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Quotation-Air.exe.6020000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Quotation-Air.exe.5fc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.43e9770.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.5fc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.43e9770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1019766420.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000043E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.997647053.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_0325326E push ss; iretd 0_2_0325326F
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066E5B4F push ebp; ret 0_2_066E5B51
Source: C:\Users\user\Desktop\Quotation-Air.exe Code function: 0_2_066E59EB push edi; ret 0_2_066E59EC
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Code function: 3_2_009D326E push ss; iretd 3_2_009D326F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_02E7F273 push ebp; retf 4_2_02E7F281
Source: Quotation-Air.exe Static PE information: section name: .text entropy: 7.830536367718267
Source: IsClosed.exe.0.dr Static PE information: section name: .text entropy: 7.830536367718267
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, iijlrBlsOLAn7COZTSe.cs High entropy of concatenated method names: 'tWeUvc2G2MQOtLTGQQR', 'AUexul2qyhqrtr0r1JB', 'zJ7IokXUUh', 'vh0ry9Sq2v', 'q15IvrVx99', 'A26IewlQAl', 'UTZIxADemn', 'V4hILOhPmB', 'QmeUR1pJBy', 'blHlPZwiLX'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, W0HZlnIg7i7Nv7HZf64.cs High entropy of concatenated method names: 'RICI3h5Tdq', 'BfTIzmCYlu', 'UGgEO4AsR2', 'GaXEbSgAod', 'mCrEXC3iAA', 'qLQEFpIs1j', 'pf2EwIcj5e', 'xdSEW67RSv', 'j6MENftLtL', 'oo2E7nwcf6'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, XNbycabuf1U1fjElLOL.cs High entropy of concatenated method names: 'zZnbl9AxD4', 'z1JbItISjj', 'wB8bKsIX08', 'UPYbjBIFEm', 'dm7bo240XB', 'ngtbJNHNcU', 'w2hbBGsdsN', 'A6RbdGF8DD', 'j9jbej30fL', 'hpUbL1Q79t'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, o67g1fuCNN4aDBEqI1K.cs High entropy of concatenated method names: 'G9VuMDMyfY', 'I84umE59H5', 'B7BcNfyhppdhZ0vTnow', 'jKC5mJyMKZVo3NLrMWb', 'XuduGHMT2x', 'NqOuq5RpLP', 'RfAOE3y9L4jZ40gFuBu', 'zef6C8yRvcbF2QxXTmT'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, N1ifntSWH2SZZKC0IS2.cs High entropy of concatenated method names: 'XThSxbPqXh', 'WDSSLA3xKM', 'p80SVPRZdB', 'sd4GdXyrwKFngMMjRDP', 'MZQNIfy3YAuQYl9hwFl', 'T5ZS7Yi8he', 'oWdSpSJ9Kv', 'kPYSiCJgvY', 'bPqS6AeapH', 'IkESuksAjS'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, PF1tWEEpZkU1rFodn3D.cs High entropy of concatenated method names: 'RgPJiCwFk2', 'oCuJ68Sdi3', 'AxrJuYaokF', 'YUvJSb61Gu', 'dJ6Jl9nS1J', 'pELJ1vtZel', 's3GJIFX40s', 'ru1EChFCn9', 'qpBJEvylrd', 'y8nJK0vhpN'
Source: 0.2.Quotation-Air.exe.42e5570.2.raw.unpack, HuF8sdS3BJ7pkxF6an7.cs High entropy of concatenated method names: 'wq0lFZdIWS', 'EIylwdX6MN', 'oSflWN38ck', 'W84lNU1cL4', 'qnNl7C3yWJ', 'SLxlpcELtm', 'rYUligbEPq', 'N8Pl6OIUag', 'mMLluQLlIl', 'E1YlSZEGym'
Drops PE files
Source: C:\Users\user\Desktop\Quotation-Air.exe File created: C:\Users\user\AppData\Roaming\IsClosed.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\Quotation-Air.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Quotation-Air.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Quotation-Air.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsClosed.vbs Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Quotation-Air.exe, 00000000.00000002.997647053.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, IsClosed.exe, 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Quotation-Air.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Memory allocated: 32E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3260000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Memory allocated: 9D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Memory allocated: 2470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Memory allocated: 4470000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 12F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 30E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 12F0000 memory reserve | memory write watch Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: IsClosed.exe, 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: IsClosed.exe, 00000003.00000002.1096501374.0000000002471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000004.00000002.2239786909.00000000013C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: InstallUtil.exe, 00000001.00000002.2237642891.0000000001648000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_030FC168 LdrInitializeThunk,LdrInitializeThunk, 1_2_030FC168
Enables debug privileges
Source: C:\Users\user\Desktop\Quotation-Air.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation-Air.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\IsClosed.exe "C:\Users\user\AppData\Roaming\IsClosed.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Quotation-Air.exe Queries volume information: C:\Users\user\Desktop\Quotation-Air.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Queries volume information: C:\Users\user\AppData\Roaming\IsClosed.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsClosed.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation-Air.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MSIL Logger
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
Yara detected MassLogger RAT
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected MSIL Logger
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
Yara detected MassLogger RAT
Source: Yara match File source: 1.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2236597574.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36fe250.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.IsClosed.exe.36afa30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4576e50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.4526e30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quotation-Air.exe.44b8bd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2236726716.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1119004039.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1016319899.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quotation-Air.exe PID: 6152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IsClosed.exe PID: 2104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5732, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669200 Sample: Quotation-Air.exe Startdate: 19/04/2025 Architecture: WINDOWS Score: 100 29 reallyfreegeoip.org 2->29 31 checkip.dyndns.org 2->31 33 checkip.dyndns.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 47 12 other signatures 2->47 8 Quotation-Air.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 45 Tries to detect the country of the analysis system (by using the IP) 29->45 process4 file5 23 C:\Users\user\AppData\Roaming\IsClosed.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\IsClosed.vbs, ASCII 8->25 dropped 27 C:\Users\...\IsClosed.exe:Zone.Identifier, ASCII 8->27 dropped 53 Drops VBS files to the startup folder 8->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->55 14 InstallUtil.exe 15 2 8->14         started        57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->57 18 IsClosed.exe 2 12->18         started        signatures6 process7 dnsIp8 35 checkip.dyndns.com 193.122.6.168, 49681, 49683, 80 ORACLE-BMC-31898US United States 14->35 37 reallyfreegeoip.org 104.21.112.1, 443, 49682, 49684 CLOUDFLARENETUS United States 14->37 59 Tries to steal Mail credentials (via file / registry access) 14->59 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.112.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.112.1 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/89.187.171.161 false
      		high