Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
u5GtsPYWPJ.exe

Overview

General Information

Sample name:u5GtsPYWPJ.exe
renamed because original name is a hash value
Original sample name:0e309bd90113e64d2e8a3111af9e11bed3569d271e06da66019b7c46227752c1.exe
Analysis ID:1588848
MD5:7111b2fefbb476ab57390ad4ad9efe7e
SHA1:a3068840c79c7369d04729c3dcf92115f1fb0500
SHA256:0e309bd90113e64d2e8a3111af9e11bed3569d271e06da66019b7c46227752c1
Tags:exeuser-adrian__luca
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
AI detected suspicious sample
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • u5GtsPYWPJ.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\u5GtsPYWPJ.exe" MD5: 7111B2FEFBB476AB57390AD4AD9EFE7E)
    • InstallUtil.exe (PID: 6600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 5080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1726001159.0000000005280000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      Process Memory Space: u5GtsPYWPJ.exe PID: 6292JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: u5GtsPYWPJ.exe PID: 6292JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: InstallUtil.exe PID: 6600JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            SourceRuleDescriptionAuthorStrings
            0.2.u5GtsPYWPJ.exe.5280000.5.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Data Obfuscation

              barindex
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\u5GtsPYWPJ.exe, ProcessId: 6292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: C:\Users\user\AppData\Roaming\Count.exeReversingLabs: Detection: 79%
              Source: C:\Users\user\AppData\Roaming\Count.exeVirustotal: Detection: 52%Perma Link
              Source: u5GtsPYWPJ.exeVirustotal: Detection: 52%Perma Link
              Source: u5GtsPYWPJ.exeReversingLabs: Detection: 79%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\AppData\Roaming\Count.exeJoe Sandbox ML: detected
              Source: u5GtsPYWPJ.exeJoe Sandbox ML: detected
              Source: u5GtsPYWPJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: u5GtsPYWPJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbxP source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdbqQ, source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb3 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbR source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: o.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: >symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR[ source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdb8 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpwT source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbh source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb( source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n8C:\Windows\InstallUtil.pdbA source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 4x nop then jmp 05550C24h0_2_0555087A
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 4x nop then jmp 05550C24h0_2_05550888
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 4x nop then jmp 05B80E00h0_2_05B80D48
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 4x nop then jmp 05B80E00h0_2_05B80D40
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B825D8 NtProtectVirtualMemory,0_2_05B825D8
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B84ED0 NtResumeThread,0_2_05B84ED0
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B825D1 NtProtectVirtualMemory,0_2_05B825D1
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B84EC8 NtResumeThread,0_2_05B84EC8
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_023ECF200_2_023ECF20
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_023ECF130_2_023ECF13
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_055572980_2_05557298
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_0555EA380_2_0555EA38
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_055572880_2_05557288
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_0555087A0_2_0555087A
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_055508880_2_05550888
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_0555EA280_2_0555EA28
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B600060_2_05B60006
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B600400_2_05B60040
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B7E2300_2_05B7E230
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B85A890_2_05B85A89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B235C31_2_00B235C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B23E781_2_00B23E78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B268D01_2_00B268D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B268C21_2_00B268C2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B27A181_2_00B27A18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B27A091_2_00B27A09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B23BF01_2_00B23BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B23BE01_2_00B23BE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B26FF81_2_00B26FF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1144
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.0000000003BC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707198664.00000000008EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002BC0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002621000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1724249366.0000000004D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOxrnlxikngj.dll" vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exe, 00000000.00000002.1727670446.0000000006040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNOV DUE SOA.exe8 vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exeBinary or memory string: OriginalFilenameNOV DUE SOA.exe8 vs u5GtsPYWPJ.exe
              Source: u5GtsPYWPJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: u5GtsPYWPJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Count.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.expl.evad.winEXE@4/3@0/0
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:64:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\796fabf9-9fdc-4ade-88a7-d486e966247bJump to behavior
              Source: u5GtsPYWPJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: u5GtsPYWPJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: u5GtsPYWPJ.exeVirustotal: Detection: 52%
              Source: u5GtsPYWPJ.exeReversingLabs: Detection: 79%
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile read: C:\Users\user\Desktop\u5GtsPYWPJ.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\u5GtsPYWPJ.exe "C:\Users\user\Desktop\u5GtsPYWPJ.exe"
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1144
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: u5GtsPYWPJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: u5GtsPYWPJ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: u5GtsPYWPJ.exeStatic file information: File size 1459712 > 1048576
              Source: u5GtsPYWPJ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x163c00
              Source: u5GtsPYWPJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbxP source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdbqQ, source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb3 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbR source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: o.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: >symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR[ source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.pdb8 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpwT source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbh source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb( source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n8C:\Windows\InstallUtil.pdbA source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: Yara matchFile source: 0.2.u5GtsPYWPJ.exe.5280000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1726001159.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: u5GtsPYWPJ.exe PID: 6292, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6600, type: MEMORYSTR
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_0555CBAF push eax; retf 0_2_0555CBB9
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B67107 push ecx; ret 0_2_05B6710C
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeCode function: 0_2_05B84287 push ebx; ret 0_2_05B842DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 1_2_00B24CB7 push cs; iretd 1_2_00B24CBB
              Source: u5GtsPYWPJ.exeStatic PE information: section name: .text entropy: 7.956489995745493
              Source: Count.exe.0.drStatic PE information: section name: .text entropy: 7.956489995745493
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile created: C:\Users\user\AppData\Roaming\Count.exeJump to dropped file

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbsJump to dropped file
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbsJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbsJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\u5GtsPYWPJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion